You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Wataru Fukushima <w....@pfu.fujitsu.com> on 2003/05/26 14:13:41 UTC
Why not filter HTML sensitive characters in ?
I'm using jakarta-struts 1.1-rc1 on jakarta-tomcat 4.1.24
w/ J2SE SDK v1.3.1_08.
I wonder why not struts filter HTML sensitive characters
for the attribute "name" in <html:options>.
<Example>
JSP:
<%
String[] data = new String[]{"foo<>"};
pageContext.setAttribute("data", data);
%>
<html:options name="data" labelName="data" filter="true"/>
output (HTML):
<option value="foo<>">foo<></option>
I expected (HTML):
<option value="foo<>">foo<></option>
Are there any reasons to behave that?
Do I have to use <logic:iterate> and <html:option> instead of
<html:options>?
Thanks in advance.
-------------------------------
Wataru Fukushima
PFU LIMITED
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Why not filter HTML sensitive characters in ?
Posted by Wataru Fukushima <w....@pfu.fujitsu.com>.
Thank you for your reply, Mike,
On Mon, 26 May 2003 13:43:38 +0100, according to the article
"RE: Why not filter HTML sensitive characters in <html:options name="xxx">?"
Mike Whittaker <mi...@ntlworld.com> wrote:
> Well it did filter it for the view, but the value doesn't need filtering
> since it is filtered anyway upon submission. Submit that under a GET and
> the url is encoded. eg ?q=%3C%3E for '<>'
How about this case?
Isn't it a Cross Site Scripting Vulnerability?
> ><Example>
> >
> >JSP:
> >
> > <%
> > String[] data = new String[]{"foo<>"};
String[] data = new String[]{"\"><script>alert('bar');</script>"};
> > pageContext.setAttribute("data", data);
> > %>
> > <html:options name="data" labelName="data" filter="true"/>
> >
> >
> >output (HTML):
> >
> > <option value="foo<>">foo<></option>
<option value=""><script>alert('bar');</script>">"><script>alert('bar');</script></option>
> >
> >
> >I expected (HTML):
> >
> > <option value="foo<>">foo<></option>
> >
> >
> >Are there any reasons to behave that?
> >Do I have to use <logic:iterate> and <html:option> instead of
> ><html:options>?
-------------------------------
Wataru Fukushima
PFU LIMITED
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Why not filter HTML sensitive characters in ?
Posted by Mike Whittaker <mi...@ntlworld.com>.
Well it did filter it for the view, but the value doesn't need filtering
since it is filtered anyway upon submission. Submit that under a GET and
the url is encoded. eg ?q=%3C%3E for '<>'
--
Mike W.
>-----Original Message-----
>From: Wataru Fukushima [mailto:w.fukushima@pfu.fujitsu.com]
>Sent: 26 May 2003 13:14
>To: struts-user@jakarta.apache.org
>Subject: Why not filter HTML sensitive characters in <html:options
>name="xxx">?
>
>
>I'm using jakarta-struts 1.1-rc1 on jakarta-tomcat 4.1.24
>w/ J2SE SDK v1.3.1_08.
>
>I wonder why not struts filter HTML sensitive characters
>for the attribute "name" in <html:options>.
>
><Example>
>
>JSP:
>
> <%
> String[] data = new String[]{"foo<>"};
> pageContext.setAttribute("data", data);
> %>
> <html:options name="data" labelName="data" filter="true"/>
>
>
>output (HTML):
>
> <option value="foo<>">foo<></option>
>
>
>I expected (HTML):
>
> <option value="foo<>">foo<></option>
>
>
>Are there any reasons to behave that?
>Do I have to use <logic:iterate> and <html:option> instead of
><html:options>?
>
>Thanks in advance.
>
>-------------------------------
>Wataru Fukushima
>PFU LIMITED
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org