struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rene Gielen (JIRA)" <>
Subject [jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with <s:textfield>
Date Wed, 30 Mar 2016 08:34:25 GMT


Rene Gielen commented on WW-4507:

[~taromaru] I'm not sure if my analysis above is completely wrong. However, this is an interesting
finding and I see your point.

Historically we had many issues with solely relying on "standard" encoding querying functions
like response.getCharacterEncoding(). That's why the struts.i18n.encoding property was introduced
(originally even in webwork). With its help we force a user configurable encoding.

Users are responsible for configuring consistent encoding, that is having page encoding match
their Struts 2 setup. The best solution to your point is IMO to use consistent encoding both
in page encoding, connector setup and struts.i18n.encoding. Besides that, we recommend to
use UTF-8 only. See also

This particular issue WW-4507 deals with a platform problem. After talking to the Tomcat guys,
we agreed to add additional safety by using their encoding logic where applies to framework
calls. But we also said: this is a platform issue, please move to a supported JRE. There is
a reason why the old decoding rule was ditched, so we can only encourage our users to move
to a modern and less buggy environment. 

If you feel like the Include component should use response.getCharacterEncoding rather than
struts.i18n.encoding, you are invited to open a new issue to let us discuss this, along with
possible implications.

> Struts 2 XSS vulnerability with <s:textfield>
> ---------------------------------------------
>                 Key: WW-4507
>                 URL:
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions:
>         Environment: Operating System:  Windows 7.  Application Server:  JBoss-4.2.1.GA.
 Java: jdk1.5.0.11.  Developloment Framework:  Struts  Browser:  FireFox 38.0.1
>            Reporter: brian neisen
>            Assignee: Rene Gielen
>              Labels: struts2, vulnerability, xss
>             Fix For: 2.3.28, 2.5
> WhiteHat Security ( has found an xss vulnerability with the <s:textfield>
tag.   When loading a url in a browser with some param name, in this case "myinput", and the
jsp being loaded has the tag <s:textfield name="myinput" id="myinput"></s:textfield>,
an alert message is popped open in the browser- which is WhiteHat's method of showing the
vulnerability.  Example url is: [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]

This message was sent by Atlassian JIRA

View raw message