The s2 hidden tag (and other input tags) does no escape html characters by default as the property tag does. This can lead easily to XSS attacks if you develop a stateless application in which the client is maintaining state. Is there a good reason for this? I think a sensible default would be to escape html in all input tags. What do you think?
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
