[Jersey] Jersey sends back an unescaped Accept header.

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: <juchems_mark_e_at_cat.com>
Date: Fri, 28 Sep 2012 18:58:06 +0000 (GMT)

Hey guys!

Though I don't answer many questions, I am an avid reader of the
questions and solutions posted.

I have a Jersey app that has been run through our corporations website
vulnerability tool. It came back with a vulnerability that is quite
odd. If you send in an Accept header with some script in it is returned
unescaped.

See:
http://stackoverflow.com/questions/12568143/is-escaping-the-accept-head
er-necessary

I also have been unable to remove the script tag:

http://stackoverflow.com/questions/12645672/is-there-a-way-to-clean-an-
accept-header-in-java

I believe that Jersey should not return such a header. Bug?