[ http://jira.codehaus.org/browse/DISPL-223?page=all ] fabrizio giustina closed DISPL-223: -----------------------------------
Resolution: Incomplete cross site scripting means that a user could inject a script by passing parameters to the page: the "property" attribute specify a value to be fetched from an object provided server side by the application, not from a parameter. This has nothing to do with cross site scripting > column property attribute susceptible to cross-site scripting!! > --------------------------------------------------------------- > > Key: DISPL-223 > URL: http://jira.codehaus.org/browse/DISPL-223 > Project: DisplayTag > Type: Bug > Components: HTML Generation > Versions: 1.0 > Priority: Critical > > Original Estimate: 2 hours > Remaining: 2 hours > > Column tag "property" > (http://displaytag.sourceforge.net/tagreference-displaytag-12.html#column) is > susceptible to cross-site scripting. > It should offer a 'filter="true"' as existing in > http://struts.apache.org/userGuide/struts-bean.html#write -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ displaytag-devel mailing list displaytag-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/displaytag-devel