Description: CVE-2025-54812 - part 3 - inproper escape of thread name in htmllayoutappender Origin: https://github.com/apache/logging-log4cxx/pull/513 Bug: https://logging.apache.org/security.html#CVE-2025-54812 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111879 From ffc2ab7138577bca0e4f0b0d48cacd386cce09cd Mon Sep 17 00:00:00 2001 From: Stephen Webb Date: Mon, 21 Jul 2025 15:43:01 +1000 Subject: [PATCH] Allow a HTMLLayout title to contain characters special to HTML --- src/main/cpp/htmllayout.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/cpp/htmllayout.cpp b/src/main/cpp/htmllayout.cpp index ed6e61d76..cce9c1dc2 100644 --- a/src/main/cpp/htmllayout.cpp +++ b/src/main/cpp/htmllayout.cpp @@ -183,7 +183,7 @@ void HTMLLayout::appendHeader(LogString& output, Pool& p) output.append(LOG4CXX_STR("")); output.append(LOG4CXX_EOL); output.append(LOG4CXX_STR("")); - output.append(m_priv->title); + Transform::appendEscapingTags(output, m_priv->title); output.append(LOG4CXX_STR("")); output.append(LOG4CXX_EOL); output.append(LOG4CXX_STR("