encode attribute of <s:url ... />
---------------------------------
Key: WW-2414
URL: https://issues.apache.org/struts/browse/WW-2414
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.0.11
Environment: tomcat 6.0.14, jdk 1.6.0_03
Reporter: Fabio
I download the struts2-blank-2.0.11 application.
I place it in the webapps directory of Tomcat and I execute it. It works.
I place in example, the file XSS.jsp written this way:
______
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}">XSS Test</s:a>
</body>
</html>
______
I'm setting encode="true". But if I load on Internet Explorer 6:
http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello
World')</script>
The javascript is executed.. and this can be used for XSS stuff.
I looked into the class:
org.apache.struts2.components.URL
Revision 595746
And I don't understand where the encode properties is used.
Is this the right behaviour of encode attribute?
Thank you
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
