[ http://jira.codehaus.org/browse/DISPL-223?page=all ]
fabrizio giustina closed DISPL-223:
-----------------------------------
Resolution: Incomplete
cross site scripting means that a user could inject a script by passing
parameters to the page: the "property" attribute specify a value to be fetched
from an object provided server side by the application, not from a parameter.
This has nothing to do with cross site scripting
> column property attribute susceptible to cross-site scripting!!
> ---------------------------------------------------------------
>
> Key: DISPL-223
> URL: http://jira.codehaus.org/browse/DISPL-223
> Project: DisplayTag
> Type: Bug
> Components: HTML Generation
> Versions: 1.0
> Priority: Critical
>
> Original Estimate: 2 hours
> Remaining: 2 hours
>
> Column tag "property"
> (http://displaytag.sourceforge.net/tagreference-displaytag-12.html#column) is
> susceptible to cross-site scripting.
> It should offer a 'filter="true"' as existing in
> http://struts.apache.org/userGuide/struts-bean.html#write
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
displaytag-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/displaytag-devel
