Merge pull request #4 from ashokpanghal/issues/SLING-8388 SLING-8388 : XSS possible in system console - servletresolver

commit: 26e4440923951933b355eb3a5d3fd1112795b2f7 [log] [tgz]
author: Karl Pauls <karlpauls@gmail.com> Mon May 06 12:40:34 2019 +0200
committer: GitHub <noreply@github.com> Mon May 06 12:40:34 2019 +0200
tree: d55b3aace3c1e5986b3feadf62e68e18405fd347
parent: 9da9b64651d58fc3711c06d431e91b8e21705cc5 [diff]
parent: 4e22103ca57917e89fe8475118011b4a6a054280 [diff]
diff --git a/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java b/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java
index 58ffcf0..c3ee850 100644
--- a/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java
+++ b/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java

@@ -224,7 +224,7 @@
                     // check for non-existing resources
                     if (ResourceUtil.isNonExistingResource(resource)) {
                         pw.println("The resource given by path '");
-                        pw.println(resource.getPath());
+                        pw.println(ResponseUtil.escapeXml(resource.getPath()));
                         pw.println("' does not exist. Therefore no resource type could be determined!<br/>");
                     }
                     pw.print("Candidate servlets and scripts in order of preference for method ");
commit	26e4440923951933b355eb3a5d3fd1112795b2f7	[log] [tgz]
author	Karl Pauls <karlpauls@gmail.com>	Mon May 06 12:40:34 2019 +0200
committer	GitHub <noreply@github.com>	Mon May 06 12:40:34 2019 +0200
tree	d55b3aace3c1e5986b3feadf62e68e18405fd347
parent	9da9b64651d58fc3711c06d431e91b8e21705cc5 [diff]
parent	4e22103ca57917e89fe8475118011b4a6a054280 [diff]