1 Reply Latest reply: Nov 19, 2008 10:58 AM by clee201110141 RSS

    Hyperic needs to sanitize stack traces

    emsearcy Hot Shot
      On the error page when Hyperic allows the user to see a stack trace, the application outputs the stack trace verbatim without running it through a sanitizer.  For instance, one line of a recent stack trace I had has the line:


      The <init> in this only shows up in an HTML View Source, not in the browser window.  This is because the browser is interpreting this as a tag!  Luckily that's not a tag that causes any issues, but naturally there could be anything in there from something that would mess up rendering to a potential security vulnerability via a XSS attack.

      Java should have some native web sanitizers this can be (needs to be!) streamed through.