I'm trying to understand where the real problem is.
I think that there are 2 issues. Both important. One in s:url and the
other in s:a
s:url generates a URL that can contain a malicious query string (it
doesn't encode anything except what is passed with s:param). And this
is not good, mainly because when someone says encode=true, hes expect
to receive a safe URL.
s:a doesn't care about what is putting in the output!
In few words, if in the href of s:a we put a variable %{var} that
contains a "double quote" and a greater than symbol: ">, those will
close the <a> tag.. and malicious javascript can be injected into this
page.
This bad behaviour can happen when we use a URL generated by s:url..
but, and more dangerously, if we put a variable (i.e. coming from the
DB) inside the href of s:a, it can happen that we have a permament
malicious javascript code infecting our site and stealing the cookies
(and sessions...) of our users...
In few words if a hacker found where we put a variable from the DB in
a s:a and he has a way to store in that DB record a malicious code..
the security of every user of our website will be in danger.
Can be acceptable such a thing?
Any thoughts?
GF
On Jan 12, 2008 10:53 AM, GF <[EMAIL PROTECTED]> wrote:
> I posted this bug report on the issue tracker:
>
> https://issues.apache.org/struts/browse/WW-2414
>
> In simple words, if you use <s:url ...> to build an url that is used
> with <s:a ...> the HTML written out will not have the "querystring"
> encoded.. and this lead to very dangerous XSS attacks.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
