[jira] [Work logged] (WW-5623) XSS in PostbackResult.doExecute()

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/WW-5623?focusedWorklogId=1014136&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1014136
 ]

ASF GitHub Bot logged work on WW-5623:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/Apr/26 00:17
            Start Date: 09/Apr/26 00:17
    Worklog Time Spent: 10m 
      Work Description: tranquac commented on PR #1653:
URL: https://github.com/apache/struts/pull/1653#issuecomment-4210561215

   Hi @lukaszlenart,
   
   Thank you for the review feedback! I've pushed a follow-up commit addressing 
both points:
   
   ### Changes in this update
   
   **1. Replaced custom `encodeHtml()` with `StringEscapeUtils.escapeHtml4()`**
   
   Removed the custom helper method and switched to 
`org.apache.commons.text.StringEscapeUtils.escapeHtml4()`, consistent with how 
the rest of Struts core handles HTML encoding (e.g., `DefaultActionProxy`, 
`Property`, `TextProviderHelper`).
   
   **2. Added 3 focused unit tests in `PostbackResultTest`**
   
   | Test | What it covers |
   |---|---|
   | `testFormActionHtmlEscaping` | XSS payload with double-quote attribute 
breakout (`"onmouseover="alert(1)"`). Asserts escaped entities in rendered 
action attribute and verifies raw `"` cannot break out. |
   | `testFormActionEscapesAllHtmlSpecialChars` | Covers all 4 critical HTML 
characters (`"`, `&`, `<`, `>`) individually, asserting each is properly 
escaped to its HTML entity (`&quot;`, `&amp;`, `&lt;`, `&gt;`). |
   | `testFormActionCleanLocationUnchanged` | Regression test — verifies that a 
clean URL without special characters renders unchanged in the action attribute. 
|
   
   All 7 tests pass (4 existing + 3 new):
   ```
   Tests run: 7, Failures: 0, Errors: 0, Skipped: 0
   BUILD SUCCESS
   ```
   
   Please let me know if there's anything else you'd like me to adjust.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 1014136)
    Time Spent: 0.5h  (was: 20m)

> XSS in PostbackResult.doExecute()
> ---------------------------------
>
>                 Key: WW-5623
>                 URL: https://issues.apache.org/jira/browse/WW-5623
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 7.1.1
>            Reporter: Tran Quac
>            Priority: Major
>             Fix For: 7.2.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> h2. Summary
> PostbackResult.doExecute() at line 107 embeds finalLocation into a form 
> action attribute via raw string concatenation without HTML encoding. The 
> response Content-Type is text/html (line 103). A double-quote character in 
> the location breaks out of the attribute, enabling reflected XSS.
> This is an encoding inconsistency: form field names and values at lines 
> 218-219 ARE properly URL-encoded via URLEncoder.encode(), but the form action 
> attribute was not encoded at all.
> h2. Changes
>  * {*}PostbackResult.java{*}: Add encodeHtml() method to escape &, ", <, > in 
> finalLocation before embedding in the HTML form tag. Consistent with the 
> existing encoding approach for form field values.
> h2. Impact
> When a developer uses PostbackResult with an OGNL expression referencing a 
> user-controllable property (a documented framework feature for dynamic 
> routing), an attacker can inject arbitrary HTML attributes and elements via 
> the form action attribute.
> h2. Refer
> [https://github.com/apache/struts/pull/1653]
> [https://github.com/apache/struts/pull/1653/changes/1b2242487179f38009d118707b8e70ab396a3d27]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)