You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Musachy Barroso (JIRA)" <ji...@apache.org> on 2009/08/19 02:20:59 UTC

[jira] Resolved: (WW-3224) s:actionerror and Cross-Site Scripting

     [ https://issues.apache.org/struts/browse/WW-3224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Musachy Barroso resolved WW-3224.
---------------------------------

    Resolution: Fixed

Fixed for actionerror, actionmessage and fielderror, they will be escaped by default, but escape="false" can also be set.

> s:actionerror and Cross-Site Scripting
> --------------------------------------
>
>                 Key: WW-3224
>                 URL: https://issues.apache.org/struts/browse/WW-3224
>             Project: Struts 2
>          Issue Type: Improvement
>    Affects Versions: 2.0.14
>            Reporter: DavidZaz
>             Fix For: 2.1.8
>
>
> Currently, the s:property tag has an attribute named "escape" which allows users to determine whether HTML strings should be escaped when displaying content to the screen. The s:actionerror does not have any equivalent functionality and this can be used by Cross Site Scripting attacks. For example,
> <s:textfield name="myField" />
> <s:actionerror />
> public String execute() {
> if (myField != null && myField.length() > 50) {
> addActionError("The provided user text: \"" + myField + "\" exceeds the maximum length of 50 for the field.");
> return "input";
> }
> Suppose that a user enters some malicious javascript in the myField which is longer than 50 characters. When the Action returns to the form, the malicious javascript in the s:actionerror (but not in the s:textfield) will execute on the user's machine. It would be very useful if the s:actionerror tag included some functionality to escape this malicious HTML.
> Thanks!

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.