You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Ralf Hauser (JIRA)" <ji...@apache.org> on 2007/04/16 06:33:43 UTC
[jira] Commented: (STR-2332) RFE: validator against cross-site
scripting
[ https://issues.apache.org/struts/browse/STR-2332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_40803 ]
Ralf Hauser commented on STR-2332:
----------------------------------
this goes nicely together with a "late filtering" concept on error messages as implemented in http://bouncycastle.org/viewcvs/viewcvs.cgi/java/crypto/src/org/bouncycastle/i18n/ErrorBundle.java
> RFE: validator against cross-site scripting
> -------------------------------------------
>
> Key: STR-2332
> URL: https://issues.apache.org/struts/browse/STR-2332
> Project: Struts 1
> Issue Type: Improvement
> Components: Core
> Affects Versions: 1.2.4
> Environment: Operating System: All
> Platform: PC
> Reporter: Ralf Hauser
> Assigned To: Struts Developers
> Priority: Minor
>
> The bean:write tag has the filter attribute as a first and very effective line
> of defense.
> However, there may be cases where it is desirable have user input rendered as
> html and thus set filter="false". Just not render html that is likely to be
> malicious.
> Suggestion: have a validator that rejects all kinds of scripts and uncontrolled
> inclusions (<object, <iframe, ...)
> see also: http://httpd.apache.org/info/css-security/
> P.S.: An alternative might be to have the validator not just reject, but also
> sanitze if this appears to be feasible
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.