[
https://issues.apache.org/jira/browse/WW-3608?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Maurizio Cucchiara reassigned WW-3608:
--------------------------------------
Assignee: Maurizio Cucchiara
> Java Template defaults to opening up a XSS vulnerability
> --------------------------------------------------------
>
> Key: WW-3608
> URL: https://issues.apache.org/jira/browse/WW-3608
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Java Templates
> Reporter: Dustin Digmann
> Assignee: Maurizio Cucchiara
>
> The following components do not escape input by default on submission:
> FileHandler, HiddenHandler, PasswordHandler, ResetHandler, SelectHandler,
> SubmitHandler, and TextFieldHandler. This opens up an XSS vulnerability by
> default.
> They currently do something like:
> .addIfExists("value", params.get("nameValue"), false)
> instead of:
> .addIfExists("value", params.get("nameValue"), true)
> I vote it defaults to escaping. Having an attribute added to toggle it would
> be nice too.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
