Unescaped & in CAS Protocol

[Jeffrey Simpson]

I am using 5.1.5 but I belive this is also 5.2.

If the username has an & in it the & is put into the XML of CAS 3 ServiceValidation unescaped.

Here is an example of the returned XML.



<cas:authenticationSuccess>
        <cas:user>mary&mike</cas:user>
        <cas:attributes>
            <cas:mail>mikea...@qwerty.com</cas:mail>
            <cas:userPrincipalName>mary&amp;mike</cas:userPrincipalName>

            <cas:cn>Mike Smith</cas:cn>

            </cas:attributes>

    </cas:authenticationSuccess>
</cas:serviceResponse>

As you can see in <cas:user>mary&mike</cas:user> the & is unescaped.

here is a snippit of casServiceValidationSuccess.html.

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user th:utext="${principal.id}"/>

Shouldn't the last line be a th:text not a th:utext.


I can make the change in my overlay with no problem. Am I right in the general case? In that case I can make the change and submit a pull request.

Also is there a bug tracker for the CAS project? I can find the old JASIG on but not a recent one.


Jeffrey Simpson | Senior Software Engineer
Youth For Understanding USA
(p) 202.774.5266 (f) 202.588.7571