[
https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46089#action_46089
]
Wes Wannemacher commented on WW-2414:
-------------------------------------
Steve, I think you might be worried about nothing. An URL in the HREF parameter
of the A tag that looks like this "myaction.action?param1=1¶m2=2" is
actually invalid XML. The example that you use
'myaction.action?param1=1&param2=2' may be an invalid URL, but it is valid
XHTML. Try to put it in an HTML A tag, then click it... It works correctly.
This is one of those areas where different standards/specifications don't agree
completely. On one hand you have the XML standard, which doesn't allow & as a
standalone character. XHTML is derived from XML, so it inherits the same rules.
On the other hand, you have whatever RFC that defines the query string, which
expects &... It's messy, but that's why we have tag parameters to let you sort
it out. If you are creating an URL that is going to be part of your HTML
content, then let the & become &. If you are generating an URL that is
going to be used by JavaScript to make an Async Request, then don't let the &s
get encoded.
> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
> Key: WW-2414
> URL: https://issues.apache.org/struts/browse/WW-2414
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Environment: tomcat 6.0.14, jdk 1.6.0_03
> Reporter: Fabio Gandola
> Assignee: James Mitchell
> Priority: Critical
> Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the
> "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can
> create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
> pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> "http://www.w3.org/TR/html4/loose.dtd";>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello
> World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at
> least I have not found a way) can give security problems? or this should be
> checked by the programmer?
> Thank you.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
