struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Petrelli" <antonio.petre...@gmail.com>
Subject Re: Feedback: WW-2414, XSS attack is possible if using <s:url ...> and <s:a ...>
Date Sun, 13 Jan 2008 15:37:28 GMT
2008/1/13, Jeromy Evans <jeromy.evans@blueskyminds.com.au>:
> I don't think this is a critical problem sheerly because the high
> prevalence of such vulnerabilities means some of the responsibility
> falls on the developer to not trust user-entered data..

This is not the case: I think it is a bug, since the url in <s:url>
should be *parsed* before, extracting the eventual querystring and its
parameters.
It is a bug, since ganfab (sorry I cannot read your name :-) ) tried
to use the <s:param> and it works.
I don't know how <c:url> of JSTL works, but I firmly suppose that it
parses the URL.

Antonio

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message