[
https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46102#action_46102
]
Wes Wannemacher commented on WW-2414:
-------------------------------------
Steve, in your s:property tag, you can specify 'escape="false"'
That would fix the & problem. The s:property escapes everything by
default to keep tricksters from posting HTML/JS code as a parameter if they
notice that the following page regurgitates it. In your case, it doesn't look
like you are using user input to generate the URL, so it seems safe to me to
use escape="false" on your s:property tag.
> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
> Key: WW-2414
> URL: https://issues.apache.org/struts/browse/WW-2414
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Environment: tomcat 6.0.14, jdk 1.6.0_03
> Reporter: Fabio Gandola
> Assignee: James Mitchell
> Priority: Critical
> Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the
> "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can
> create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
> pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> "http://www.w3.org/TR/html4/loose.dtd";>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello
> World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at
> least I have not found a way) can give security problems? or this should be
> checked by the programmer?
> Thank you.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
