[
https://issues.apache.org/jira/browse/WW-5623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tran Quac updated WW-5623:
--------------------------
Component/s: Core
> fix(core): HTML-encode form action in PostbackResult to prevent XSS
> -------------------------------------------------------------------
>
> Key: WW-5623
> URL: https://issues.apache.org/jira/browse/WW-5623
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Reporter: Tran Quac
> Priority: Major
>
> h2. Summary
> PostbackResult.doExecute() at line 107 embeds finalLocation into a form
> action attribute via raw string concatenation without HTML encoding. The
> response Content-Type is text/html (line 103). A double-quote character in
> the location breaks out of the attribute, enabling reflected XSS.
> This is an encoding inconsistency: form field names and values at lines
> 218-219 ARE properly URL-encoded via URLEncoder.encode(), but the form action
> attribute was not encoded at all.
> h2. Changes
> * {*}PostbackResult.java{*}: Add encodeHtml() method to escape &, ", <, > in
> finalLocation before embedding in the HTML form tag. Consistent with the
> existing encoding approach for form field values.
> h2. Impact
> When a developer uses PostbackResult with an OGNL expression referencing a
> user-controllable property (a documented framework feature for dynamic
> routing), an attacker can inject arbitrary HTML attributes and elements via
> the form action attribute.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
