struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jordi Fernandez <>
Subject No escape in hidden and other input tags
Date Fri, 15 Jan 2010 09:11:06 GMT

The s2 hidden tag (and other input tags) does no escape html characters by
default as the property tag does. This can lead easily to XSS attacks if
you develop a stateless application in which the client is maintaining
state. Is there a good reason for this? I think a sensible default would be
to escape html in all input tags. What do you think?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message