struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: <html:html> XSS vulnerability?
Date Tue, 14 Nov 2006 13:33:19 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Otsuka,

otsuka wrote:
> The value of "lang" attribute which <html:html> tag generates is
> not escaped. I think it could cause XSS problem If Accept-Language
> HTTP header's value is replaced with <script> tag.

Have you tried doing this? If so, what happens?

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFWcWf9CaO5/Lv0PARAo/OAJ9PDSWAwxDcmaq8E9WZmbTIRmFxwACgquv0
FtPtemZYHqdo86MpWwTCQTo=
=sU+9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message