[
https://issues.apache.org/struts/browse/WW-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lee Clemens updated WW-2949:
----------------------------
Priority: Minor (was: Major)
Issue Type: Improvement (was: Bug)
I see your point. However, if Struts 2 provided a way to pass information
between two actions, it would be kept serverside and hidden/form attributes
would not be necessary to get the data over the gap.
While I understand this is not a bug with the existing framework, I feel it
would be a useful enhancement to enable/encourage the use of serverside only
parameters within the construct of the framework.
I have changed this to Improvement - Minor, but I would be happy to hear any
reason this can't/shouldn't be done to keep the non-editable form data
serverside.
> Passing paremeter value from Action to Action requires a security
> vulnerability
> -------------------------------------------------------------------------------
>
> Key: WW-2949
> URL: https://issues.apache.org/struts/browse/WW-2949
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
> Affects Versions: 2.1.6
> Environment: All
> Reporter: Lee Clemens
> Priority: Minor
>
> To pass parameter value from Action->form->Action, need to use URL parameter
> or <s:hidden>
> URL can be manipulated manually and hidden form field can be altered via
> Firefox plugin, etc
> This presents a security issue, since the form's hidden attribute can be
> manipulated via a Firefox plugin, etc and the URL can be altered directly
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
