[
https://issues.apache.org/jira/browse/WW-5183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17544933#comment-17544933
]
Yasser Zamani commented on WW-5183:
-----------------------------------
Hi [~takehiro.hidaka] ,
Thanks for the kind reaching out :)
No it's not a bug. It's an improvement to protect user's apps against XSS when
potentially, as a mistake, developer uses not trusted (validated) user input as
e.g. action name etc. So an attacker could exploit XSS via posting JS scripts
as e.g. action name etc. Because Struts uses 'id' a lot internally to generate
required JS scripts, so an attacker could inject its own JS scripts.
Please see [https://github.com/apache/struts/pull/496/files] and search for
phrase 'escape'.
Credits to Chris McCown [https://cwiki.apache.org/confluence/display/WW/S2-062]
BTW please note that basically you shouldn't depend on Struts internal behavior
:)
> HTML tag's ID attribute's value output by struts is different between
> struts2.5.26 and struts2.5.30.
> ----------------------------------------------------------------------------------------------------
>
> Key: WW-5183
> URL: https://issues.apache.org/jira/browse/WW-5183
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.5.30
> Reporter: takehiro.hidaka
> Assignee: Yasser Zamani
> Priority: Critical
>
> Hi!
> I love struts.
> And I updated from 2.5.26 to 2.5.30 to use the latest version.
> And I noticed that the content generated by HTML is different.
> Specifically, the code and output are as follows.
> Hello.jsp
> {code:java}
> <%@ page language="java" contentType="text/html; charset=UTF-8"
> pageEncoding="UTF-8"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
> <title>Struts2</title>
> </head>
> <body>
> <s:form action="hello-action">
> <s:textfield name="name" />
> <s:submit value="submit" />
> </s:form>
> </body>
> </html> {code}
> struts2.5.26 output
> {code:java}
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
> <title>Struts2</title>
> </head>
> <body>
> <form id="hello-action" name="hello-action" action="hello-action"
> method="post">
> <input type="text" name="name" value="" id="hello-action_name"> <!— The
> value of the automatically generated ID here is different. —>
> <input type="submit" value="submit" id="hello-action_0">
> </form>
> </body>
> </html> {code}
> struts2.5.30 output
> {code:java}
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
> <title>Struts2</title>
> </head>
> <body>
> <form id="hello_action" name="hello_action" action="hello-action"
> method="post">
> <input type="text" name="name" value="" id="hello_action_name"> <!— The
> value of the automatically generated ID here is different. —>
> <input type="submit" value="submit" id="hello_action_0">
> </form>
> </body>
> </html> {code}
> Previously, the ID value was generated by inheriting the action name.
> However, in 2.5.30, the hyphen is changed to an underscore and output.
> My project uses the jQuery selector. Therefore, accepting this 'struts'
> change would require changes to all selectors, which is very costly.
> Is this the correct change? Or is it a bug?
> Thank you!
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
