[
https://issues.apache.org/struts/browse/TILES-351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Antonio Petrelli closed TILES-351.
----------------------------------
Resolution: Fixed
Security bug resolved.
> EL expressions in JSP using some Tiles JSP tags are evaluated twice
> --------------------------------------------------------------------
>
> Key: TILES-351
> URL: https://issues.apache.org/struts/browse/TILES-351
> Project: Tiles
> Issue Type: Bug
> Components: tiles-api, tiles-core, tiles-jsp (jsp support)
> Affects Versions: 2.1.0, 2.1.1
> Environment: EL support enabled
> Reporter: Antonio Petrelli
> Assignee: Antonio Petrelli
> Priority: Critical
> Fix For: 2.1.2
>
>
> Tiles 2.1.x allows, with the correct configuration, to use EL expressions in
> Tiles configuration files.
>
> The problem is that, if attribute values or templates are defined using some
> JSP tags (tiles:putAttribute, tiles:insertTemplate), the EL expression is
> evaluated twice, one by the container, one by the ELAttributeEvaluator class.
>
> Now, if at the first evaluation the EL expression is connected to a
> user-entered content, it could be maliciously exploited to access the server
> context.
> Therefore, there could be an unwanted exposure of server data or XSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
