1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
Description: CVE-2025-54812 - part 2 - Improper escaping in html attribute data
Origin: https://github.com/apache/logging-log4cxx/pull/509
Bug: https://logging.apache.org/security.html#CVE-2025-54812
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111879
From 0b3749504f0f1bd83ca8a7b391687fdfcd1f94a6 Mon Sep 17 00:00:00 2001
From: Stephen Webb <swebb2066@gmail.com>
Date: Thu, 24 Jul 2025 11:18:34 +1000
Subject: [PATCH] Escape any logger name '&' or '"' in html attribute data
---
src/main/cpp/htmllayout.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/main/cpp/htmllayout.cpp b/src/main/cpp/htmllayout.cpp
index cce9c1dc2..f1b2747c4 100644
--- a/src/main/cpp/htmllayout.cpp
+++ b/src/main/cpp/htmllayout.cpp
@@ -98,9 +98,9 @@ void HTMLLayout::format(LogString& output,
output.append(LOG4CXX_STR("<td title=\""));
LogString threadName(event->getThreadName());
- output.append(threadName);
+ Transform::appendEscapingTags(output, threadName);
output.append(LOG4CXX_STR(" thread\">"));
- output.append(threadName);
+ Transform::appendEscapingTags(output, threadName);
output.append(LOG4CXX_STR("</td>"));
output.append(LOG4CXX_EOL);
|
