You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by bu...@apache.org on 2001/11/09 18:51:54 UTC
DO NOT REPLY [Bug 4775] New: -
Systemic error in struts - no HTML encoding is performed
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4775>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4775
Systemic error in struts - no HTML encoding is performed
Summary: Systemic error in struts - no HTML encoding is performed
Product: Struts
Version: 1.0 Final
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Other
Component: Unknown
AssignedTo: struts-dev@jakarta.apache.org
ReportedBy: jon+apache-bugzilla@unequivocal.co.uk
There is a systemic error in the whole of struts and all the example programs,
so far as I can see - it is not filtering output through ResponseWriter.filter
().
Simple example of just one of these many bugs:
alttag=A 6" plank of wood
<html:img src="plank.jpg" altKey="alttag"/>
This is at the very least a bug, and may well be a security problem (in other
contexts) due to CSS.
Hmm, it also appears to be a bug in JSP, in that:
<html:img src="plank.jpg" altKey="alttaC">
should behave identically to the above, but it doesn't, because JSP is failing
to un-html-encode the parameter before passing it to the Java code.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>