null character used as a toggle control character in net.sourceforge.stripes.tag.layout.LayoutWriter

Description

In net.sourceforge.stripes.tag.layout.LayoutWriter class, there's a way to toggle the silent state as in the code snippet at the end. As we can see, the '\0' character is used as the toggle. If any output coming through the LayoutWriter contains null characters, anything after the first null character will be silenced and the second null will turn the output back on. For example, a URL input value as "<%00silenced%00script>" would be rendered and output as "<script>" if there's no encoding involved.

private static final char TOGGLE = 0;
...
@Override
public void write(char[] cbuf, int off, int len) throws IOException {
for (int i = off, mark = i, n = i + len; i < n; ++i) {
switch (cbuf[i]) {
case TOGGLE:
if (this.silentState)
mark = i + 1;
else if (i > mark)
getOut().write(cbuf, mark, i - mark);
this.silentState = !this.silentState;
break;
default:
....

Environment

None

Status

Assignee

Unassigned

Reporter

Xiaoyong Wu

Labels

None

Tester

None

Components

Affects versions

Release 1.5.8
Release 1.5.7

Priority

Major
Configure