What browser are you using, and what's the exact query string being used? I'm having issues duplicating this.
d. --- Antonio Petrelli <[EMAIL PROTECTED]> wrote: > 2008/1/12, GF <[EMAIL PROTECTED]>: > > http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp? > > >'"><script>alert(document.cookie)</script> > > > > I tested this .jsp inside the 2.0.11 blank application. > > I think it's a severe problem, because every Struts2 website using > > this way <s:url and <s:a can be attacked with XSS. > > It looks like a critical bug (security exploit): the URL should be > parsed, separating the query string into parameters. > > Thoughts? > > Antonio > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
