Hi What are the recommendations to deal with cross-site scripting in struts?One of the keys to avoiding the particular XSS attack you are talking about here is to be careful about how you render dynamic content that was originally entered by the user. For example, if your string above was read in to a bean property named "mode" and you wanted to render it as text in another page, you should use something like:
I'm got an app that a use can access at a URL , let's call it http://localhost/myapplication , now doing something like
http://localhost/myapplication/applicationInit.do?mode=<script>alert(document.cookie)</script> reveals a pop-up box containing the currently set cookies.
How can I block that from happening?Is there a way of encoding a form bean?Please help as this is critical to the app.
<bean:write name="mybean" property="mode"/>
instead of something like:
<%= mybean.getMode() %>
Struts protects you because (unless you explicitly ask it not to), it will render "<" as "<" so that the embedded script will not actually get executed. Using the runtime expression, or things like that, simply copy the bytes back out again with no filtering.
jeff mutonhoCraig
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
