[jira] Updated: (WW-2427) s:a does not HTML-escape "href" attribute value

Rene Gielen (JIRA) Sun, 02 Mar 2008 08:38:20 -0800

     [ 
https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Rene Gielen updated WW-2427:
----------------------------

    Assignee: Don Brown  (was: Rene Gielen)

Closer Award: Just reassigning back to Don since he applied the patches to the 
trunk, I just backported them to 2.0.x

> s:a does not HTML-escape "href" attribute value
> -----------------------------------------------
>
>                 Key: WW-2427
>                 URL: https://issues.apache.org/struts/browse/WW-2427
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>            Reporter: Antonio Petrelli
>            Assignee: Don Brown
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:a> does not escape with HTML entities the "href" attribute value. This 
> can lead to invalid HTML and, in certain cases, to 
> XSS attacks.
> Probably a new attribute, that specify if the escape is enabled or not, 
> should be added.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (WW-2427) s:a does not HTML-escape "href" attribute value

Reply via email to