struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Musachy Barroso <>
Subject Re: Hidden tag does not HTML Encode
Date Tue, 18 Aug 2009 16:11:12 GMT
hum, I am not sure about this, the value of the hidden input is
printed using the "property" tag, from hidden.ftl:

<input type="hidden"<#rt/>
<#if parameters.nameValue??>
 value="< value="parameters.nameValue"/>"<#rt/>


On Tue, Aug 18, 2009 at 8:24 AM, Redfield, Jon<> wrote:
> We're finishing up our first Struts 2 project (ver 2.1.6) and a security scan has shown
that the <s:hidden> tag is vulnerable to cross site scripting because it does not encode
special characters.  This feels like a bug, but is it?  We've since learned to use the scope
interceptor, however there are still times we'd like to use <s:hidden> but can't unless
we clean the data ourselves.  We've found that the <s:property> tag does HTML Encoding,
and the <s:url> and <s:a> tags do URI Encoding, and feel the framework should
also cleanse <s:hidden>.
> Any thoughts?
> Jon Redfield
> Software Engineer
> ----------------------------------------------------------------------
> This message and any attachments are intended only for the use of the addressee and may
contain information that is privileged and confidential. If the reader of the message is not
the intended recipient or an authorized representative of the intended recipient, you are
hereby notified that any dissemination of this communication is strictly prohibited. If you
have received this communication in error, notify the sender immediately by return email and
delete the message and any attachments from your system.

"Hey you! Would you help me to carry the stone?" Pink Floyd

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message