From b6aa47844c36484078b3358b74ee727623c6fd50 Mon Sep 17 00:00:00 2001
From: Pierre De Rop <pderop@vmware.com>
Date: Mon, 25 Sep 2023 13:28:36 +0200
Subject: [PATCH] Rebased in order to pick up #2903. (#2902)

Fix cross-site scripting (XSS) vulnerability github security alert in the TomcatServer class.
See https://github.com/reactor/reactor-netty/security/code-scanning/9
---
 .../src/test/java/reactor/netty/TomcatServer.java           | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/reactor-netty-http/src/test/java/reactor/netty/TomcatServer.java b/reactor-netty-http/src/test/java/reactor/netty/TomcatServer.java
index 27df0dcfd1..61d6f97dcf 100644
--- a/reactor-netty-http/src/test/java/reactor/netty/TomcatServer.java
+++ b/reactor-netty-http/src/test/java/reactor/netty/TomcatServer.java
@@ -21,6 +21,7 @@
 import org.apache.coyote.AbstractProtocol;
 import org.apache.coyote.ProtocolHandler;
 import org.apache.coyote.http11.AbstractHttp11Protocol;
+import org.apache.tomcat.util.security.Escape;
 
 import javax.servlet.MultipartConfigElement;
 import javax.servlet.ServletException;
@@ -183,7 +184,10 @@ protected void service(HttpServletRequest req, HttpServletResponse resp) throws
 				}
 				resp.setStatus(Integer.parseInt(path));
 
-				writer.print(path);
+				// Use Tomcat's HTML escaping method, to avoid cross-site scripting Github security alert.
+				String sanitizedPath = Escape.htmlElementContent(path);
+
+				writer.print(sanitizedPath);
 				writer.flush();
 			}
 		}