You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Petteri Kauko (JIRA)" <ji...@apache.org> on 2010/03/10 14:25:27 UTC
[jira] Created: (WW-3405) fielderror -tag does not escape the error
message if param tag is used
fielderror -tag does not escape the error message if param tag is used
----------------------------------------------------------------------
Key: WW-3405
URL: https://issues.apache.org/jira/browse/WW-3405
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.1.8.1
Environment: Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1
Reporter: Petteri Kauko
Noticed this when I wanted to have the field contents as part of the error message. In this case, the error message I'm using has ${trackingCode} as part of it and there's a input field in the form named trackingCode. Class error_text is simple class, that colors the text red.
When using fielderror as follows:
<s:fielderror theme="simple" cssClass="error_text" />
If the field trackingCode contains javascript, the script is just printed on the page as part of the error message. Also possible HTML -entities in resource bundle are printed out with the ampersand -> ä is just printed out as it was in the resource bundle.
When using fielderror like this:
<s:fielderror theme="simple" cssClass="error_text" >
<s:param>trackingCode</s:param>
</s:fielderror>
If the field trackingCode contains javascript, the script is executed on page load. Also any HTML -entities in resource bundle are not escaped, hence ä becomes ä on the page.
I think this is an obvious bug, but was unable to find an issue of it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (WW-3405) fielderror -tag does not escape the error
message if param tag is used
Posted by "Petteri Kauko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Petteri Kauko closed WW-3405.
-----------------------------
Fixed my case at least. Thank you.
> fielderror -tag does not escape the error message if param tag is used
> ----------------------------------------------------------------------
>
> Key: WW-3405
> URL: https://issues.apache.org/jira/browse/WW-3405
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.1.8.1
> Environment: Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1
> Reporter: Petteri Kauko
> Assignee: Lukasz Lenart
> Priority: Critical
> Fix For: 2.2.0
>
>
> Noticed this when I wanted to have the field contents as part of the error message. In this case, the error message I'm using has ${trackingCode} as part of it and there's a input field in the form named trackingCode. Class error_text is simple class, that colors the text red.
> When using fielderror as follows:
> <s:fielderror theme="simple" cssClass="error_text" />
> If the field trackingCode contains javascript, the script is just printed on the page as part of the error message. Also possible HTML -entities in resource bundle are printed out with the ampersand -> ä is just printed out as it was in the resource bundle.
> When using fielderror like this:
> <s:fielderror theme="simple" cssClass="error_text" >
> <s:param>trackingCode</s:param>
> </s:fielderror>
> If the field trackingCode contains javascript, the script is executed on page load. Also any HTML -entities in resource bundle are not escaped, hence ä becomes ä on the page.
> I think this is an obvious bug, but was unable to find an issue of it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (WW-3405) fielderror -tag does not
escape the error message if param tag is used
Posted by "Petteri Kauko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12849618#action_12849618 ]
Petteri Kauko edited comment on WW-3405 at 3/25/10 8:50 AM:
------------------------------------------------------------
The fact that this report of a XSS vulnerability just sits here and seems to interest nobody makes me wonder how many other fatal security flaws Struts2 might have under the hood that I just haven't noticed yet.
was (Author: petterikauko):
The fact that this XSS vulnerability just sits here and seems to interest nobody makes me wonder how many other fatal security flaws Struts2 might have under the hood that I just haven't noticed yet.
> fielderror -tag does not escape the error message if param tag is used
> ----------------------------------------------------------------------
>
> Key: WW-3405
> URL: https://issues.apache.org/jira/browse/WW-3405
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.1.8.1
> Environment: Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1
> Reporter: Petteri Kauko
>
> Noticed this when I wanted to have the field contents as part of the error message. In this case, the error message I'm using has ${trackingCode} as part of it and there's a input field in the form named trackingCode. Class error_text is simple class, that colors the text red.
> When using fielderror as follows:
> <s:fielderror theme="simple" cssClass="error_text" />
> If the field trackingCode contains javascript, the script is just printed on the page as part of the error message. Also possible HTML -entities in resource bundle are printed out with the ampersand -> ä is just printed out as it was in the resource bundle.
> When using fielderror like this:
> <s:fielderror theme="simple" cssClass="error_text" >
> <s:param>trackingCode</s:param>
> </s:fielderror>
> If the field trackingCode contains javascript, the script is executed on page load. Also any HTML -entities in resource bundle are not escaped, hence ä becomes ä on the page.
> I think this is an obvious bug, but was unable to find an issue of it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WW-3405) fielderror -tag does not escape the error
message if param tag is used
Posted by "Petteri Kauko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Petteri Kauko updated WW-3405:
------------------------------
Priority: Critical (was: Major)
> fielderror -tag does not escape the error message if param tag is used
> ----------------------------------------------------------------------
>
> Key: WW-3405
> URL: https://issues.apache.org/jira/browse/WW-3405
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.1.8.1
> Environment: Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1
> Reporter: Petteri Kauko
> Priority: Critical
>
> Noticed this when I wanted to have the field contents as part of the error message. In this case, the error message I'm using has ${trackingCode} as part of it and there's a input field in the form named trackingCode. Class error_text is simple class, that colors the text red.
> When using fielderror as follows:
> <s:fielderror theme="simple" cssClass="error_text" />
> If the field trackingCode contains javascript, the script is just printed on the page as part of the error message. Also possible HTML -entities in resource bundle are printed out with the ampersand -> ä is just printed out as it was in the resource bundle.
> When using fielderror like this:
> <s:fielderror theme="simple" cssClass="error_text" >
> <s:param>trackingCode</s:param>
> </s:fielderror>
> If the field trackingCode contains javascript, the script is executed on page load. Also any HTML -entities in resource bundle are not escaped, hence ä becomes ä on the page.
> I think this is an obvious bug, but was unable to find an issue of it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WW-3405) fielderror -tag does not escape the error
message if param tag is used
Posted by "Petteri Kauko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Petteri Kauko updated WW-3405:
------------------------------
The fact that this XSS vulnerability just sits here and seems to interest nobody makes me wonder how many other fatal security flaws Struts2 might have under the hood that I just haven't noticed yet.
> fielderror -tag does not escape the error message if param tag is used
> ----------------------------------------------------------------------
>
> Key: WW-3405
> URL: https://issues.apache.org/jira/browse/WW-3405
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.1.8.1
> Environment: Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1
> Reporter: Petteri Kauko
>
> Noticed this when I wanted to have the field contents as part of the error message. In this case, the error message I'm using has ${trackingCode} as part of it and there's a input field in the form named trackingCode. Class error_text is simple class, that colors the text red.
> When using fielderror as follows:
> <s:fielderror theme="simple" cssClass="error_text" />
> If the field trackingCode contains javascript, the script is just printed on the page as part of the error message. Also possible HTML -entities in resource bundle are printed out with the ampersand -> ä is just printed out as it was in the resource bundle.
> When using fielderror like this:
> <s:fielderror theme="simple" cssClass="error_text" >
> <s:param>trackingCode</s:param>
> </s:fielderror>
> If the field trackingCode contains javascript, the script is executed on page load. Also any HTML -entities in resource bundle are not escaped, hence ä becomes ä on the page.
> I think this is an obvious bug, but was unable to find an issue of it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (WW-3405) fielderror -tag does not escape the
error message if param tag is used
Posted by "Lukasz Lenart (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Lenart resolved WW-3405.
-------------------------------
Resolution: Fixed
Fix Version/s: 2.2.0
Assignee: Lukasz Lenart
Resolved, right now also values are escaped!
> fielderror -tag does not escape the error message if param tag is used
> ----------------------------------------------------------------------
>
> Key: WW-3405
> URL: https://issues.apache.org/jira/browse/WW-3405
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.1.8.1
> Environment: Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1
> Reporter: Petteri Kauko
> Assignee: Lukasz Lenart
> Priority: Critical
> Fix For: 2.2.0
>
>
> Noticed this when I wanted to have the field contents as part of the error message. In this case, the error message I'm using has ${trackingCode} as part of it and there's a input field in the form named trackingCode. Class error_text is simple class, that colors the text red.
> When using fielderror as follows:
> <s:fielderror theme="simple" cssClass="error_text" />
> If the field trackingCode contains javascript, the script is just printed on the page as part of the error message. Also possible HTML -entities in resource bundle are printed out with the ampersand -> ä is just printed out as it was in the resource bundle.
> When using fielderror like this:
> <s:fielderror theme="simple" cssClass="error_text" >
> <s:param>trackingCode</s:param>
> </s:fielderror>
> If the field trackingCode contains javascript, the script is executed on page load. Also any HTML -entities in resource bundle are not escaped, hence ä becomes ä on the page.
> I think this is an obvious bug, but was unable to find an issue of it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3405) fielderror -tag does not escape the
error message if param tag is used
Posted by "Lukasz Lenart (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12849681#action_12849681 ]
Lukasz Lenart commented on WW-3405:
-----------------------------------
It took only two weeks ;-)
> fielderror -tag does not escape the error message if param tag is used
> ----------------------------------------------------------------------
>
> Key: WW-3405
> URL: https://issues.apache.org/jira/browse/WW-3405
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.1.8.1
> Environment: Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1
> Reporter: Petteri Kauko
> Assignee: Lukasz Lenart
> Priority: Critical
> Fix For: 2.2.0
>
>
> Noticed this when I wanted to have the field contents as part of the error message. In this case, the error message I'm using has ${trackingCode} as part of it and there's a input field in the form named trackingCode. Class error_text is simple class, that colors the text red.
> When using fielderror as follows:
> <s:fielderror theme="simple" cssClass="error_text" />
> If the field trackingCode contains javascript, the script is just printed on the page as part of the error message. Also possible HTML -entities in resource bundle are printed out with the ampersand -> ä is just printed out as it was in the resource bundle.
> When using fielderror like this:
> <s:fielderror theme="simple" cssClass="error_text" >
> <s:param>trackingCode</s:param>
> </s:fielderror>
> If the field trackingCode contains javascript, the script is executed on page load. Also any HTML -entities in resource bundle are not escaped, hence ä becomes ä on the page.
> I think this is an obvious bug, but was unable to find an issue of it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.