[CONFSERVER-13584] Logging event information is not HTML encoded in 500 error page - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 2.10
Affects Version/s: 2.9
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually possible or not, but we should just encode the strings to be sure.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

500page.jsp-2.9.2
18 kB
30/Jun/2009 5:03 AM

Assignee:: Andrew Lynch (Inactive)

Reporter:: Christopher Owen [Atlassian]

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 03/Nov/2008 1:10 AM

Updated:: 11/Oct/2018 9:04 AM

Resolved:: 05/Nov/2008 11:55 PM

Details

Description

Attachments

Attachments

Forms

Activity

People

Dates