[
https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=43022#action_43022
]
Fabio Gandola commented on WW-2427:
-----------------------------------
As i wrote in the mailing list discussion, I think that <s:a > should check for
the presence of double quotes inside the href attribute because if these are
sent to output, they can cause the "href" attribute of <a> to be closed, than
with a > the tag itself will be closed and the attacker will be able to inject
any kind of data inside the page (i.e javascript that will be automatically
executed on page load).
So I think that can be great for <s:a> to check if eventually the value of its
href attribute may cause the closing of the generated <a> tag. And one simple
thing about this.. is to look for any double quote inside the href value.
> s:a does not HTML-escape "href" attribute value
> -----------------------------------------------
>
> Key: WW-2427
> URL: https://issues.apache.org/struts/browse/WW-2427
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Reporter: Antonio Petrelli
> Fix For: 2.1.1
>
>
> The <s:a> does not escape with HTML entities the "href" attribute value. This
> can lead to invalid HTML and, in certain cases, to
> XSS attacks.
> Probably a new attribute, that specify if the escape is enabled or not,
> should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
