You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by bu...@apache.org on 2001/11/09 18:51:54 UTC

DO NOT REPLY [Bug 4775] New: - Systemic error in struts - no HTML encoding is performed

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4775>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4775

Systemic error in struts - no HTML encoding is performed

           Summary: Systemic error in struts - no HTML encoding is performed
           Product: Struts
           Version: 1.0 Final
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Unknown
        AssignedTo: struts-dev@jakarta.apache.org
        ReportedBy: jon+apache-bugzilla@unequivocal.co.uk


There is a systemic error in the whole of struts and all the example programs, 
so far as I can see - it is not filtering output through ResponseWriter.filter
().

Simple example of just one of these many bugs:
  alttag=A 6" plank of wood

  <html:img src="plank.jpg" altKey="alttag"/>

This is at the very least a bug, and may well be a security problem (in other 
contexts) due to CSS.

Hmm, it also appears to be a bug in JSP, in that:
  <html:img src="plank.jpg" altKey="altta&#67;">
should behave identically to the above, but it doesn't, because JSP is failing 
to un-html-encode the parameter before passing it to the Java code.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>