struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Petrelli" <>
Subject Re: Feedback: WW-2414, XSS attack is possible if using <s:url ...> and <s:a ...>
Date Sun, 13 Jan 2008 15:37:28 GMT
2008/1/13, Jeromy Evans <>:
> I don't think this is a critical problem sheerly because the high
> prevalence of such vulnerabilities means some of the responsibility
> falls on the developer to not trust user-entered data..

This is not the case: I think it is a bug, since the url in <s:url>
should be *parsed* before, extracting the eventual querystring and its
It is a bug, since ganfab (sorry I cannot read your name :-) ) tried
to use the <s:param> and it works.
I don't know how <c:url> of JSTL works, but I firmly suppose that it
parses the URL.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message