struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Mitchell <>
Subject Re: <html:html> XSS vulnerability?
Date Sun, 19 Nov 2006 18:51:55 GMT
Even if a malicious header was written into the request, from ...  
let's say, a redirect or something else, the HtmlTag does not parse  
any headers so there's no way to inject a bad value for Accept- 
Language.  And even if you were able to spoof the header, Struts  
looks inside the request to get the users Locale.  So, if there is an  
XSS vulnerability with respect to accept-lang, it would be due to a  
broken container and not from a broken framework.

So, from everything I can see, this is invalid.

James Mitchell

On Nov 13, 2006, at 11:46 PM, otsuka wrote:

> The value of "lang" attribute which <html:html> tag generates is
> not escaped. I think it could cause XSS problem If Accept-Language
> HTTP header's value is replaced with <script> tag.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message