DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=39264>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39264 Summary: Validation allows java script injection Product: Struts Version: 1.2.9 Platform: All OS/Version: other Status: NEW Keywords: ErrorMessage Severity: normal Priority: P2 Component: Action AssignedTo: dev@struts.apache.org ReportedBy: [EMAIL PROTECTED] If a validation error message contains the input fields that should be shown in the message, it is possible to inject java script as the parameter and this will be executed on the client. There is no escaping of the characters to inhibit this. E.g. error message "Error in parameter {0}" with the parameter %3cscript%3ealert%28%22Show+this49%22%29%3b%3c%2fscript%3e, a popup box will appear with the text "Show this". -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]