FISH-10521 Escape HTTP characters

Fix for CVE-2025-1534. Uses the existing method to hopefully escape only the config values being displayed, and not any of the valid HTTP tags. Signed-off-by: Andrew Pielage <[email protected]>
payara · Feb 25, 2025 · 6e752a9 · 6e752a9
1 parent d861d88
commit 6e752a9
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/...rvice/src/main/java/org/glassfish/admin/rest/provider/ActionReportResultHtmlProvider.java b/...rvice/src/main/java/org/glassfish/admin/rest/provider/ActionReportResultHtmlProvider.java
@@ -37,7 +37,7 @@
  * only if the new code is made subject to such option by the copyright
  * holder.
  */
-// Portions Copyright [2019-2021] [Payara Foundation and/or its affiliates]
+// Portions Copyright 2019-2025 Payara Foundation and/or its affiliates
 
 package org.glassfish.admin.rest.provider;
 
@@ -330,7 +330,7 @@ protected String processChildren(List<ActionReport.MessagePart> parts) {
             result.append("<li><table border=\"1\" style=\"border-collapse: collapse\">")
                     .append("<tr><td>Message</td>")
                     .append("<td>")
-                    .append(part.getMessage())
+                    .append(ResourceUtil.encodeString(part.getMessage()))
                     .append("</td></tr><td>Properties</td><td>")
                     .append(getHtml(part.getProps()))
                     .append("</td></tr>");
@@ -369,7 +369,7 @@ protected String getHtmlRepresentation(Object object) {
                 result = getHtml((Map) object);
             }
         } else {
-            result = object.toString();
+            result = ResourceUtil.encodeString(object.toString());
         }
 
         return result;