From 6e752a974c02d95831fd6645f43ea4a27180333e Mon Sep 17 00:00:00 2001 From: Andrew Pielage Date: Tue, 25 Feb 2025 11:41:02 +0000 Subject: [PATCH] FISH-10521 Escape HTTP characters Fix for CVE-2025-1534. Uses the existing method to hopefully escape only the config values being displayed, and not any of the valid HTTP tags. Signed-off-by: Andrew Pielage --- .../admin/rest/provider/ActionReportResultHtmlProvider.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nucleus/admin/rest/rest-service/src/main/java/org/glassfish/admin/rest/provider/ActionReportResultHtmlProvider.java b/nucleus/admin/rest/rest-service/src/main/java/org/glassfish/admin/rest/provider/ActionReportResultHtmlProvider.java index 2c5667e5226..9ed12223348 100644 --- a/nucleus/admin/rest/rest-service/src/main/java/org/glassfish/admin/rest/provider/ActionReportResultHtmlProvider.java +++ b/nucleus/admin/rest/rest-service/src/main/java/org/glassfish/admin/rest/provider/ActionReportResultHtmlProvider.java @@ -37,7 +37,7 @@ * only if the new code is made subject to such option by the copyright * holder. */ -// Portions Copyright [2019-2021] [Payara Foundation and/or its affiliates] +// Portions Copyright 2019-2025 Payara Foundation and/or its affiliates package org.glassfish.admin.rest.provider; @@ -330,7 +330,7 @@ protected String processChildren(List parts) { result.append("
  • ") .append("") .append(""); @@ -369,7 +369,7 @@ protected String getHtmlRepresentation(Object object) { result = getHtml((Map) object); } } else { - result = object.toString(); + result = ResourceUtil.encodeString(object.toString()); } return result;
    Message") - .append(part.getMessage()) + .append(ResourceUtil.encodeString(part.getMessage())) .append("
    Properties") .append(getHtml(part.getProps())) .append("