You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Ralf Hauser (JIRA)" <ji...@apache.org> on 2007/04/16 06:33:43 UTC

[jira] Commented: (STR-2332) RFE: validator against cross-site scripting

    [ https://issues.apache.org/struts/browse/STR-2332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_40803 ] 

Ralf Hauser commented on STR-2332:
----------------------------------

this goes nicely together with a "late filtering" concept on error messages as implemented in http://bouncycastle.org/viewcvs/viewcvs.cgi/java/crypto/src/org/bouncycastle/i18n/ErrorBundle.java

> RFE: validator against cross-site scripting
> -------------------------------------------
>
>                 Key: STR-2332
>                 URL: https://issues.apache.org/struts/browse/STR-2332
>             Project: Struts 1
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 1.2.4
>         Environment: Operating System: All
> Platform: PC
>            Reporter: Ralf Hauser
>         Assigned To: Struts Developers
>            Priority: Minor
>
> The bean:write tag has the filter attribute as a first and very effective line
> of defense.
> However, there may be cases where it is desirable have user input rendered as
> html and thus set filter="false". Just not render html that is likely to be
> malicious.
> Suggestion: have a validator that rejects all kinds of scripts and uncontrolled
> inclusions (<object, <iframe, ...)
> see also: http://httpd.apache.org/info/css-security/
> P.S.: An alternative might be to have the validator not just reject, but also
> sanitze if this appears to be feasible

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.