Return-Path: Delivered-To: apmail-struts-user-archive@www.apache.org Received: (qmail 99083 invoked from network); 13 Jan 2008 15:38:06 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 13 Jan 2008 15:38:06 -0000 Received: (qmail 84110 invoked by uid 500); 13 Jan 2008 15:37:47 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 84084 invoked by uid 500); 13 Jan 2008 15:37:47 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 84073 invoked by uid 99); 13 Jan 2008 15:37:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Jan 2008 07:37:47 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of antonio.petrelli@gmail.com designates 209.85.146.179 as permitted sender) Received: from [209.85.146.179] (HELO wa-out-1112.google.com) (209.85.146.179) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Jan 2008 15:37:22 +0000 Received: by wa-out-1112.google.com with SMTP id m38so3342279waf.5 for ; Sun, 13 Jan 2008 07:37:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=b2zCUFr7dwC5O/mBRf8Bb61OT3kPoz5uJARJhqOk7rg=; b=j+cC9nrghNBpTZg7ymMLUQHpJfvgYeFdpVu7/y5yKZnd+OntTOoVxQ5d5dx4iXXolhDWJoLmM9xFx4mAGSeHLN7KnrfVxK0z5B/CSLhAY5+K9kxPp3Vzxl/eJysHYnHZkHzMI8S3nlsJWyOaUsU6q0AzYuB1DGER2bJCTylynp0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=RQmJ4Soqg9+iN2uN+IBo3vEO7fd64XUyH5AIe12e31jr/B+c3m6qtUn0y7wKsDBCT7z+96LC2b3+A/4fs/ZesmYIShyqgKav3mzEkVpXy01ZnsglygFY59vI7tLtnuasLUZXBBXC4/DCJ0BqV4XEV18cKxq2dnZBokpNjhFswMo= Received: by 10.114.254.1 with SMTP id b1mr1174614wai.140.1200238648427; Sun, 13 Jan 2008 07:37:28 -0800 (PST) Received: by 10.115.73.5 with HTTP; Sun, 13 Jan 2008 07:37:28 -0800 (PST) Message-ID: Date: Sun, 13 Jan 2008 16:37:28 +0100 From: "Antonio Petrelli" To: "Struts Users Mailing List" Subject: Re: Feedback: WW-2414, XSS attack is possible if using and In-Reply-To: <47899D8F.2020001@blueskyminds.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <809086.33974.qm@web56706.mail.re3.yahoo.com> <866785e40801120940v6285bdaan4f56e28041cb3169@mail.gmail.com> <866785e40801120946w28a32940r44818f75b27ad179@mail.gmail.com> <47899D8F.2020001@blueskyminds.com.au> X-Virus-Checked: Checked by ClamAV on apache.org 2008/1/13, Jeromy Evans : > I don't think this is a critical problem sheerly because the high > prevalence of such vulnerabilities means some of the responsibility > falls on the developer to not trust user-entered data.. This is not the case: I think it is a bug, since the url in should be *parsed* before, extracting the eventual querystring and its parameters. It is a bug, since ganfab (sorry I cannot read your name :-) ) tried to use the and it works. I don't know how of JSTL works, but I firmly suppose that it parses the URL. Antonio --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org