It looks to me like Winstone's default handling of ServletExceptions doesn't
"html escape" the exception contents. At my place of work, we are running
Jenkins. The security folks are on my back because you can pass <script>
elements as request parameters get Jenkins to reflect back the script to the
browser in the error message. This is considered a serious XSS
vulnerability. This isn't a problem when Jenkins is run with Tomcat because
the exception message is escaped in the error page.
This could be solved in a number of ways. I'm wondering if this is
something you would entertain changing in Winstone itself? If so, I'm happy
to investigate further. Otherwise, I'll see if the Jenkins developers want
to entertain a fix.
Get latest updates about Open Source Projects, Conferences and News.