Logging event information is not HTML encoded in 500 error page

Type atlassian
Reporter christopher.owen@atlassian.com
Modified 2018-10-11T09:04:52


The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually possible or not, but we should just encode the strings to be sure.