0

I want to login into my app, but I always get a "The entity name must immediately follow the '&' in the entity reference" error since putting a CORS Filter into my web.xml file.

The funny thing is this error doesnt happen when I dont have the CORS Filter, so it has to do something with this code.

Any ideas on why this is happening?

Here the CORS-Filter Code:

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
      <param-name>cors.allowed.origins</param-name>
      <param-value>*</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.methods</param-name>
      <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
    </init-param>
    <init-param>
      <param-name>cors.exposed.headers</param-name>
      <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Methods</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  
</web-app>

Already tried the entity names &lt and &gt, but didnt work either or maybe I did something wrong.

KevinM
  • 1
  • The message is usually from an unescaped `&` in HTML/XML. `&` needs to be escaped as `&` (the valid entity reference for it). Otherwise the parser tries to read it as an entity reference using the following characters. I don't see an `&` in your XML - so it might be the code that is using the XML. – ThW Feb 09 '23 at 08:53
  • Thank you for your answer, I actually found out what the problem was, my password to log-in into the app had a &-Character in it and somehow this was the problem. Could be that the &-Character in the password was interpreted as a entity reference – KevinM Feb 18 '23 at 11:30
  • That could indicate a missing escaping. If the password is put into an XML string without proper escaping it could result in the error message. It is a possible security issue - an XML injection. – ThW Feb 18 '23 at 19:40

0 Answers0