Thanks for the headsup on AbstractRemoteCallUIBean.java setHref with encode I only see this implementation for the value assoc'ed with key (but not URL) in URLHelper.java buildUrl method calls assuming escapeAmp has been set or not where is escapeAmp being set to either true/false?
Thanks/ M-- ----- Original Message ----- From: "Dave Newton" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <user@struts.apache.org> Sent: Sunday, January 13, 2008 10:50 AM Subject: Re: Feedback: WW-2414, XSS attack is possible if using <s:url ...> and <s:a ...> > Is this an IE-only thing? > > When I do this w/ FF or Safari I get an encoded parameter and it doesn't > execute the JavaScript :/ > > URL's mergeRequestParameters method calls UrlHelper's parseQueryString, which > in turn calls Java's URLEncoder.encode; while I haven't spent a lot of time > tracking execution I guess I thought this was the path taken for any GET > parameters. > > d. > > --- Antonio Petrelli <[EMAIL PROTECTED]> wrote: > > > 2008/1/13, Jeromy Evans <[EMAIL PROTECTED]>: > > > I don't think this is a critical problem sheerly because the high > > > prevalence of such vulnerabilities means some of the responsibility > > > falls on the developer to not trust user-entered data.. > > > > This is not the case: I think it is a bug, since the url in <s:url> > > should be *parsed* before, extracting the eventual querystring and its > > parameters. > > It is a bug, since ganfab (sorry I cannot read your name :-) ) tried > > to use the <s:param> and it works. > > I don't know how <c:url> of JSTL works, but I firmly suppose that it > > parses the URL. > > > > Antonio > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
