Description: CVE-2025-54812 - part 2 - Improper escaping in html attribute data
Origin: https://github.com/apache/logging-log4cxx/pull/509
Bug: https://logging.apache.org/security.html#CVE-2025-54812
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111879

From 0b3749504f0f1bd83ca8a7b391687fdfcd1f94a6 Mon Sep 17 00:00:00 2001
From: Stephen Webb <swebb2066@gmail.com>
Date: Thu, 24 Jul 2025 11:18:34 +1000
Subject: [PATCH] Escape any logger name '&' or '"' in html attribute data

---
 src/main/cpp/htmllayout.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/cpp/htmllayout.cpp b/src/main/cpp/htmllayout.cpp
index cce9c1dc2..f1b2747c4 100644
--- a/src/main/cpp/htmllayout.cpp
+++ b/src/main/cpp/htmllayout.cpp
@@ -98,9 +98,9 @@ void HTMLLayout::format(LogString& output,
 
 	output.append(LOG4CXX_STR("<td title=\""));
 	LogString threadName(event->getThreadName());
-	output.append(threadName);
+	Transform::appendEscapingTags(output, threadName);
 	output.append(LOG4CXX_STR(" thread\">"));
-	output.append(threadName);
+	Transform::appendEscapingTags(output, threadName);
 	output.append(LOG4CXX_STR("</td>"));
 	output.append(LOG4CXX_EOL);