You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by otsuka <t....@gmail.com> on 2006/11/14 05:46:18 UTC

XSS vulnerability?

The value of "lang" attribute which <html:html> tag generates is
not escaped. I think it could cause XSS problem If Accept-Language
HTTP header's value is replaced with <script> tag.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: XSS vulnerability?

Posted by James Mitchell <ja...@mac.com>.
Even if a malicious header was written into the request, from ...  
let's say, a redirect or something else, the HtmlTag does not parse  
any headers so there's no way to inject a bad value for Accept- 
Language.  And even if you were able to spoof the header, Struts  
looks inside the request to get the users Locale.  So, if there is an  
XSS vulnerability with respect to accept-lang, it would be due to a  
broken container and not from a broken framework.

So, from everything I can see, this is invalid.


--
James Mitchell
678.910.8017




On Nov 13, 2006, at 11:46 PM, otsuka wrote:

> The value of "lang" attribute which <html:html> tag generates is
> not escaped. I think it could cause XSS problem If Accept-Language
> HTTP header's value is replaced with <script> tag.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: XSS vulnerability?

Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Otsuka,

otsuka wrote:
> The value of "lang" attribute which <html:html> tag generates is
> not escaped. I think it could cause XSS problem If Accept-Language
> HTTP header's value is replaced with <script> tag.

Have you tried doing this? If so, what happens?

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFWcWf9CaO5/Lv0PARAo/OAJ9PDSWAwxDcmaq8E9WZmbTIRmFxwACgquv0
FtPtemZYHqdo86MpWwTCQTo=
=sU+9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org