[Rabbit-dev] cross-site-scripting vulnerabiltiy
Robert Olofsson
robert.olofsson at khelekore.org
Sun Mar 14 16:21:42 CET 2010
On Mon, 1 Mar 2010 16:21:43 -0500
Jeff Adamson <jwa at urbancode.com> wrote:
> I did not see any mechanisms within the rabbIT codebase for escape html
> strings. I created the following patch which makes use of the Apache
> commons-lang 2.x project to perform the escaping.
>
> I do hope I am not being presumptuous nor intend any insult. I just needed
> the change fixed ASAP for a security audit and so I needed to do it myself
> locally.
I think I have added the core contents of the patch, I did some reworking
of it and did some cleanup in StandardResponseHeaders.java so the actual
diff looks a bit different from your patch.
Please check the actual patches and see if I have missed anything.
I did add the commons-lang version 2.5, it is quite small.
Thanks.
/robo
More information about the Rabbit-dev
mailing list