Logging event information is not HTML encoded in 500 error page

2008-11-03T01:10:24
ID ATLASSIAN:CONF-13584
Type atlassian
Reporter christopher.owen@atlassian.com
Modified 2017-02-17T05:14:57

Description

The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually possible or not, but we should just encode the strings to be sure.