Hi, As mentioned in http://www.disasterarea.co.uk/blog/xss-vulnerabilities-in-web-frameworks-2/ The ${} is not xss safe in struts 2 while it is safe in tapestry 5. I am not a Tapestry guy, but I want to know if above is correct. As far as I know the ${} is part of JSLT and it does not depend on any web frameworks. So if above sentence is correct and the ${}is XSS safe in tapestry, how can we make it safe in struts 2. To test above in struts 2, I run struts2-showcase app, opened modelDriven\modelDrivenResult.jsp and add below line: Am I safe ${name} Now when you run the show case, go to model driven sample, and enter <script> alert('xxxx') </script> as gangester name you can see the alert!
~Regards, ~~Alireza Fattahi