No escape in hidden and other input tags

[Jordi Fernandez]

The s2 hidden tag (and other input tags) does no escape html characters by
default as the property tag does. This can lead easily to XSS attacks if
you develop a stateless application in which the client is maintaining
state. Is there a good reason for this? I think a sensible default would be
to escape html in all input tags. What do you think?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org