You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Yasser Zamani (Jira)" <ji...@apache.org> on 2022/06/01 14:26:00 UTC
[jira] [Commented] (WW-5183) HTML tag's ID attribute's value output by struts is different between struts2.5.26 and struts2.5.30.
[ https://issues.apache.org/jira/browse/WW-5183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17544933#comment-17544933 ]
Yasser Zamani commented on WW-5183:
-----------------------------------
Hi [~takehiro.hidaka] ,
Thanks for the kind reaching out :)
No it's not a bug. It's an improvement to protect user's apps against XSS when potentially, as a mistake, developer uses not trusted (validated) user input as e.g. action name etc. So an attacker could exploit XSS via posting JS scripts as e.g. action name etc. Because Struts uses 'id' a lot internally to generate required JS scripts, so an attacker could inject its own JS scripts.
Please see [https://github.com/apache/struts/pull/496/files] and search for phrase 'escape'.
Credits to Chris McCown [https://cwiki.apache.org/confluence/display/WW/S2-062]
BTW please note that basically you shouldn't depend on Struts internal behavior :)
> HTML tag's ID attribute's value output by struts is different between struts2.5.26 and struts2.5.30.
> ----------------------------------------------------------------------------------------------------
>
> Key: WW-5183
> URL: https://issues.apache.org/jira/browse/WW-5183
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.5.30
> Reporter: takehiro.hidaka
> Assignee: Yasser Zamani
> Priority: Critical
>
> Hi!
> I love struts.
> And I updated from 2.5.26 to 2.5.30 to use the latest version.
> And I noticed that the content generated by HTML is different.
> Specifically, the code and output are as follows.
> Hello.jsp
> {code:java}
> <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
> <title>Struts2</title>
> </head>
> <body>
> <s:form action="hello-action">
> <s:textfield name="name" />
> <s:submit value="submit" />
> </s:form>
> </body>
> </html> {code}
> struts2.5.26 output
> {code:java}
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
> <title>Struts2</title>
> </head>
> <body>
> <form id="hello-action" name="hello-action" action="hello-action" method="post">
> <input type="text" name="name" value="" id="hello-action_name"> <!— The value of the automatically generated ID here is different. —>
> <input type="submit" value="submit" id="hello-action_0">
> </form>
> </body>
> </html> {code}
> struts2.5.30 output
> {code:java}
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
> <title>Struts2</title>
> </head>
> <body>
> <form id="hello_action" name="hello_action" action="hello-action" method="post">
> <input type="text" name="name" value="" id="hello_action_name"> <!— The value of the automatically generated ID here is different. —>
> <input type="submit" value="submit" id="hello_action_0">
> </form>
> </body>
> </html> {code}
> Previously, the ID value was generated by inheriting the action name.
> However, in 2.5.30, the hyphen is changed to an underscore and output.
> My project uses the jQuery selector. Therefore, accepting this 'struts' change would require changes to all selectors, which is very costly.
> Is this the correct change? Or is it a bug?
> Thank you!
--
This message was sent by Atlassian Jira
(v8.20.7#820007)