[
https://issues.apache.org/struts/browse/WW-3224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Musachy Barroso resolved WW-3224.
---------------------------------
Resolution: Fixed
Fixed for actionerror, actionmessage and fielderror, they will be escaped by
default, but escape="false" can also be set.
> s:actionerror and Cross-Site Scripting
> --------------------------------------
>
> Key: WW-3224
> URL: https://issues.apache.org/struts/browse/WW-3224
> Project: Struts 2
> Issue Type: Improvement
> Affects Versions: 2.0.14
> Reporter: DavidZaz
> Fix For: 2.1.8
>
>
> Currently, the s:property tag has an attribute named "escape" which allows
> users to determine whether HTML strings should be escaped when displaying
> content to the screen. The s:actionerror does not have any equivalent
> functionality and this can be used by Cross Site Scripting attacks. For
> example,
> <s:textfield name="myField" />
> <s:actionerror />
> public String execute() {
> if (myField != null && myField.length() > 50) {
> addActionError("The provided user text: \"" + myField + "\" exceeds the
> maximum length of 50 for the field.");
> return "input";
> }
> Suppose that a user enters some malicious javascript in the myField which is
> longer than 50 characters. When the Action returns to the form, the malicious
> javascript in the s:actionerror (but not in the s:textfield) will execute on
> the user's machine. It would be very useful if the s:actionerror tag included
> some functionality to escape this malicious HTML.
> Thanks!
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
