hum, I am not sure about this, the value of the hidden input is
printed using the "property" tag, from hidden.ftl:
<input type="hidden"<#rt/>
name="${parameters.name?default("")?html}"<#rt/>
<#if parameters.nameValue??>
value="<@s.property value="parameters.nameValue"/>"<#rt/>
musachy
On Tue, Aug 18, 2009 at 8:24 AM, Redfield, Jon<jon_redfi...@adp.com> wrote:
> We're finishing up our first Struts 2 project (ver 2.1.6) and a security scan
> has shown that the <s:hidden> tag is vulnerable to cross site scripting
> because it does not encode special characters. This feels like a bug, but is
> it? We've since learned to use the scope interceptor, however there are
> still times we'd like to use <s:hidden> but can't unless we clean the data
> ourselves. We've found that the <s:property> tag does HTML Encoding, and the
> <s:url> and <s:a> tags do URI Encoding, and feel the framework should also
> cleanse <s:hidden>.
>
> Any thoughts?
>
> Jon Redfield
> Software Engineer
>
> ----------------------------------------------------------------------
> This message and any attachments are intended only for the use of the
> addressee and may contain information that is privileged and confidential. If
> the reader of the message is not the intended recipient or an authorized
> representative of the intended recipient, you are hereby notified that any
> dissemination of this communication is strictly prohibited. If you have
> received this communication in error, notify the sender immediately by return
> email and delete the message and any attachments from your system.
>
--
"Hey you! Would you help me to carry the stone?" Pink Floyd
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
