Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8087579

javafxpackager deploy task: -htmlparamfile option doesn't escape any characters

    XMLWordPrintable

    Details

      Description

      If we'll write some crap into properties file, that needs to be escaped, i.e. double-quotes, we see that this line is not changed, so software that uses packager might be vulnerable because of this.

      I attach some HelloWorld project to see this, to invoke it with htmlparamfiles type:
      ant -f simple-build-big-cli.xml deploy-with-htmlparamfile

        Attachments

          Activity

            People

            Assignee:
            shemnon Danno Ferrin (Inactive)
            Reporter:
            dginzbur Dmitry Ginzburg (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Imported: