s:actionerror and Cross-Site Scripting
--------------------------------------
Key: WW-3224
URL: https://issues.apache.org/struts/browse/WW-3224
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.0.14
Reporter: DavidZaz
Currently, the s:property tag has an attribute named "escape" which allows
users to determine whether HTML strings should be escaped when displaying
content to the screen. The s:actionerror does not have any equivalent
functionality and this can be used by Cross Site Scripting attacks. For example,
<s:textfield name="myField" />
<s:actionerror />
public String execute() {
if (myField != null && myField.length() > 50) {
addActionError("The provided user text: \"" + myField + "\" exceeds the maximum
length of 50 for the field.");
return "input";
}
Suppose that a user enters some malicious javascript in the myField which is
longer than 50 characters. When the Action returns to the form, the malicious
javascript in the s:actionerror (but not in the s:textfield) will execute on
the user's machine. It would be very useful if the s:actionerror tag included
some functionality to escape this malicious HTML.
Thanks!
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
