2014-04-29 15:55 GMT+02:00 Alireza Fattahi <afatt...@yahoo.com>:
> Hi,
>
> As mentioned in
> http://www.disasterarea.co.uk/blog/xss-vulnerabilities-in-web-frameworks-2/
> The ${} is not xss safe in struts 2 while it is safe in tapestry 5.
> I am not a Tapestry guy, but I want to know if above is correct.
> As far as I know the ${} is part of JSLT and it does not depend on any web
> frameworks. So if above sentence is correct and the ${}is XSS safe in
> tapestry, how can we make it safe in struts 2.
> To test above in struts 2, I run struts2-showcase app, opened
> modelDriven\modelDrivenResult.jsp
> and add below line:
> Am I safe ${name}
> Now when you run the show case, go to model driven sample, and enter <script>
> alert('xxxx') </script> as gangester name you can see the alert!
To replicate Dave's answer on SO:
because ${} is JSP EL operator not Struts2 operator
http://stackoverflow.com/questions/23365225/make-operator-xss-safe-in-struts-2-same-as-tapestry
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
