[jira] Commented: (STR-3191) Sufficently filter HTML tag attribute names and values

Paul Benedict (JIRA) Wed, 23 Sep 2009 03:05:23 -0700

    [ 
https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46828#action_46828
 ]


Paul Benedict commented on STR-3191:
------------------------------------

I suppose you ask rhetorically because the answer, of course, is that someone's 
existing code may break. Excluding yourself, everyone to date (including ASF 
security?) believed it to be worthy of fixing. Can you recommend an alternative 
course?

> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
>                 Key: STR-3191
>                 URL: https://issues.apache.org/struts/browse/STR-3191
>             Project: Struts 1
>          Issue Type: Bug
>          Components: Tag Libraries
>    Affects Versions: 1.2.9, 1.3.10
>            Reporter: Paul Benedict
>            Assignee: Paul Benedict
>            Priority: Blocker
>             Fix For: 1.3.11, 1.4.0
>
>         Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via 
> unspecified vectors related to insufficient quoting of parameters. 
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (STR-3191) Sufficently filter HTML tag attribute names and values

Reply via email to