[jira] Created: (WW-2414) encode attribute of

["Fabio (JIRA)" <ji...@apache.org>]

encode attribute of <s:url ... />
---------------------------------

                 Key: WW-2414
                 URL: https://issues.apache.org/struts/browse/WW-2414
             Project: Struts 2
          Issue Type: Bug
    Affects Versions: 2.0.11
         Environment: tomcat 6.0.14, jdk 1.6.0_03
            Reporter: Fabio


I download the struts2-blank-2.0.11 application.

I place it in the webapps directory of Tomcat and I execute it. It works.

I place in example, the file XSS.jsp written this way:

______
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}">XSS Test</s:a>
</body>
</html>
______

I'm setting encode="true". But if I load on Internet Explorer 6:

http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>

The javascript is executed.. and this can be used for XSS stuff.
I looked into the class:

org.apache.struts2.components.URL 
Revision 595746

And I don't understand where the encode properties is used.
Is this the right behaviour of encode attribute?
Thank you

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (WW-2414) Tags and do not encode URLs

["Rene Gielen (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rene Gielen updated WW-2414:
----------------------------

    Assignee: James Mitchell  (was: Rene Gielen)

Closer Award: Just reassigning back to James since he applied the patches to the trunk, I just backported them to 2.0.x

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (WW-2414) Tags and do not encode URLs

["Rene Gielen (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rene Gielen updated WW-2414:
----------------------------

    Fix Version/s: 2.0.12

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: Rene Gielen
>            Priority: Critical
>             Fix For: 2.0.12, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (WW-2414) encode attribute of

["Fabio (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Fabio updated WW-2414:
----------------------

    Description: 
I download the struts2-blank-2.0.11 application.

I place it in the webapps directory of Tomcat and I execute it. It works.

I place in example, the file XSS.jsp written this way:

______
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}">XSS Test</s:a>
</body>
</html>
______

I'm setting encode="true". But if I load on Internet Explorer 6:

http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>

The javascript is executed.. and this can be used for XSS stuff.
I looked into the class:

org.apache.struts2.components.URL 
Revision 595746

And I don't understand where the encode properties is used.
Is this the right behaviour of encode attribute?

EDIT: After doing some more tests, I noticed that I do:

_____
<s:url id="xssTest" action="test" namespace="/test" encode="true">
<s:param name="myvar" value="%{'< > &'}" />
</s:url>
<s:a href="%{xssTest}">XSS Test</s:a>
_____

The characters < > & are encoded, and so.. this is ok.
The funny thing is that it happens too if I set encode="false"

However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?

Thank you.

  was:
I download the struts2-blank-2.0.11 application.

I place it in the webapps directory of Tomcat and I execute it. It works.

I place in example, the file XSS.jsp written this way:

______
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}">XSS Test</s:a>
</body>
</html>
______

I'm setting encode="true". But if I load on Internet Explorer 6:

http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>

The javascript is executed.. and this can be used for XSS stuff.
I looked into the class:

org.apache.struts2.components.URL 
Revision 595746

And I don't understand where the encode properties is used.
Is this the right behaviour of encode attribute?
Thank you


> encode attribute of <s:url ... />
> ---------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio
>
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2414) Tags and do not encode URLs

["Dave Newton (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46082#action_46082 ] 

Dave Newton commented on WW-2414:
---------------------------------

I think that's what the "escapeAmp" attribute is for.

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2414) Tags and do not encode URLs

["Wes Wannemacher (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46102#action_46102 ] 

Wes Wannemacher commented on WW-2414:
-------------------------------------

Steve, in your s:property tag, you can specify 'escape="false"' 

That would fix the & problem. The s:property escapes everything by default to keep tricksters from posting HTML/JS code as a parameter if they notice that the following page regurgitates it. In your case, it doesn't look like you are using user input to generate the URL, so it seems safe to me to use escape="false" on your s:property tag.



> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (WW-2414) Tags and do not encode URLs

["Antonio Petrelli (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Antonio Petrelli updated WW-2414:
---------------------------------

    Component/s: Plugin - Tags
    Description: 
The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.

This is the original description from Fabio Gandola.

-------------
I download the struts2-blank-2.0.11 application.

I place it in the webapps directory of Tomcat and I execute it. It works.

I place in example, the file XSS.jsp written this way:

______
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}">XSS Test</s:a>
</body>
</html>
______

I'm setting encode="true". But if I load on Internet Explorer 6:

http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>

The javascript is executed.. and this can be used for XSS stuff.
I looked into the class:

org.apache.struts2.components.URL 
Revision 595746

And I don't understand where the encode properties is used.
Is this the right behaviour of encode attribute?

EDIT: After doing some more tests, I noticed that I do:

_____
<s:url id="xssTest" action="test" namespace="/test" encode="true">
<s:param name="myvar" value="%{'< > &'}" />
</s:url>
<s:a href="%{xssTest}">XSS Test</s:a>
_____

The characters < > & are encoded, and so.. this is ok.
The funny thing is that it happens too if I set encode="false"

However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?

Thank you.

  was:
I download the struts2-blank-2.0.11 application.

I place it in the webapps directory of Tomcat and I execute it. It works.

I place in example, the file XSS.jsp written this way:

______
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}">XSS Test</s:a>
</body>
</html>
______

I'm setting encode="true". But if I load on Internet Explorer 6:

http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>

The javascript is executed.. and this can be used for XSS stuff.
I looked into the class:

org.apache.struts2.components.URL 
Revision 595746

And I don't understand where the encode properties is used.
Is this the right behaviour of encode attribute?

EDIT: After doing some more tests, I noticed that I do:

_____
<s:url id="xssTest" action="test" namespace="/test" encode="true">
<s:param name="myvar" value="%{'< > &'}" />
</s:url>
<s:a href="%{xssTest}">XSS Test</s:a>
_____

The characters < > & are encoded, and so.. this is ok.
The funny thing is that it happens too if I set encode="false"

However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?

Thank you.

       Priority: Critical  (was: Major)
        Summary: Tags <s:url> and <s:a> do not encode URLs  (was: encode attribute of <s:url ... />)

Edited the description to be more concise

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio
>            Priority: Critical
>             Fix For: 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2414) Tags and do not encode URLs

["Steve Higham (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46083#action_46083 ] 

Steve Higham commented on WW-2414:
----------------------------------

But the & which has been encoded is the parameter separator.  The correctly encoded URL should be "...myaction.action?param1=1&param2=2".

Currently this is being encoded as "...myaction.action?param1=1&param2=2" - This is an invalid URL. Feeding it back into Struts (correctly) causes an OGNL exception.

I suspect this is due to encoding the whole URL rather than encoding the constituent parts.

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2414) Tags and do not encode URLs

["Wes Wannemacher (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46089#action_46089 ] 

Wes Wannemacher commented on WW-2414:
-------------------------------------

Steve, I think you might be worried about nothing. An URL in the HREF parameter of the A tag that looks like this "myaction.action?param1=1&param2=2" is actually invalid XML. The example that you use 'myaction.action?param1=1&param2=2' may be an invalid URL, but it is valid XHTML. Try to put it in an HTML A tag, then click it... It works correctly. This is one of those areas where different standards/specifications don't agree completely. On one hand you have the XML standard, which doesn't allow & as a standalone character. XHTML is derived from XML, so it inherits the same rules. On the other hand, you have whatever RFC that defines the query string, which expects &... It's messy, but that's why we have tag parameters to let you sort it out. If you are creating an URL that is going to be part of your HTML content, then let the & become &. If you are generating an URL that is going to be used by JavaScript to make an Async Request, then don't let the &s get encoded. 
  

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (WW-2414) Tags and do not encode URLs

["Rene Gielen (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rene Gielen resolved WW-2414.
-----------------------------

    Resolution: Fixed

fix for 2.0.x tree now in SVN

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: Rene Gielen
>            Priority: Critical
>             Fix For: 2.0.12, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2414) Tags and do not encode URLs

["Steve Higham (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46101#action_46101 ] 

Steve Higham commented on WW-2414:
----------------------------------

I've done some more testing and finally figured out what's going on.

The ecapeAmp setting has no effect on the parameter contents. Any & characters within a parameter are encoded (to %28 although I guess this depends on the character set. I'm using UTF-8). Therefore the escapeAmp does not open any security loopholes. This was one of my concerns.

I am writing code like the following:

<s:url action="myAction" var="myURL" escapeAmp="..." >
  <s:param name="..." value="..." />
  <s:param name="..." value="..." />
</s:url>

This performs as documented. escapeAmp="true" (the default) uses "&amp;" as the parameter separator. escapeAmp="false" uses "&" as the separator. Everything is fine. This can be verified by removing the var="..." and seeing the url rendered directly into the html.

However I am using the result in an html <a> tag as follows: -

<a href='<s:property value="myURL" />URL Text</a>

This is adding a further level of encoding. Therefore escapeAmp="false" in the url tag is fine. Separator ends up as "&amp;". However escapeAmp="true" (default) in the url tag leads to a doubly encoded separator "&amp;amp;". This causes OGNL exceptions when trying to call setter methods on the targeted action.

This solves all my concerns. I just need to remember to use escapeAmp="false" whenever I have more that one parameter.

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Reopened: (WW-2414) Tags and do not encode URLs

["Rene Gielen (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rene Gielen reopened WW-2414:
-----------------------------

      Assignee: Rene Gielen

Reopened to apply to 2.0 tree

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: Rene Gielen
>            Priority: Critical
>             Fix For: 2.0.12, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Reopened: (WW-2414) encode attribute of

["Antonio Petrelli (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Antonio Petrelli reopened WW-2414:
----------------------------------


This bug is configuring as a XSS exploit, so it could be possible to be a serious security bug:
http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449.html

Please do not close or resolve this issue until you are sure that it is *not* a bug.

> encode attribute of <s:url ... />
> ---------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio
>             Fix For: 2.1.1
>
>
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (WW-2414) Tags and do not encode URLs

["James Mitchell (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Mitchell resolved WW-2414.
--------------------------------

    Resolution: Fixed

It appears that response.encodeUrl() does not properly encode script tags if they happen to get the container and into our filter.

Below is a test file that I used to verify this behavior, and the fix.


<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>

Hard coded anchor tag: <br/>
<a href="?<script>alert('hi')</script>">click here</a>
<br/>
<br/>

s:url with encode=false:<br/>
<s:url id="xssTest" action="test" namespace="/test" encode="false" />
<s:a href="%{xssTest}">XSS Test</s:a>

<br/>
<br/>

s:url with encode=true:<br/>
<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}">XSS Test</s:a>

<br/>
<br/>
Directly call response.encodeUrl("/foo.action?&lt;script&gt;alert('hi')&lt;/script&gt;")<br/>
<%=response.encodeUrl("/foo.action?<script>alert('hi')</script>") %>

</body>
</html> 


> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Priority: Critical
>             Fix For: 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2414) Tags and do not encode URLs

["Steve Higham (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46093#action_46093 ] 

Steve Higham commented on WW-2414:
----------------------------------

I've been looking through the HTML. Previously I was reading the links from the Firefox hint bar and the OGNL generated exception.

Within the HTML the separating & is being encoded e.g. "...myaction.action?param1=1&param2=2". This is happening with escapeAmp="false" and everything works OK.

When I remove escapeAmp="false" I get the & separators encoded twice e.g. "...myaction.action?param1=1&param2=2". This causes the OGNL exceptions.

I haven't checked what effect "escapeAmp=false" has on & chars. embedded in the parameters.

I guess this means that there is no issue with XHTML compliance. However it still seems strange that we need to add "escapeAmp=false" whenever multiple parameters are included within an s:url tag. I'm going to test the effect of "escapeAmp=false" on & chars embedded within parameters next...

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (WW-2414) encode attribute of

["Ted Husted (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ted Husted resolved WW-2414.
----------------------------

    Fix Version/s: 2.1.1
       Resolution: Incomplete

> encode attribute of <s:url ... />
> ---------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio
>             Fix For: 2.1.1
>
>
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2414) Tags and do not encode URLs

["Steve Higham (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46081#action_46081 ] 

Steve Higham commented on WW-2414:
----------------------------------

I think there may be a problem with this fix.

I am using the Struts 2.1.6 GA release and I've noticed that the "&" separator for multiple parameters is being encoded as well. This results in URL's like the following "...myaction.action?param1=1&param2=2".

Is this something to do with this encoding fix or should I raise it as a separate JIRA?


> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2414) Tags and do not encode URLs

["Steve Higham (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46103#action_46103 ] 

Steve Higham commented on WW-2414:
----------------------------------

Wes, I guess there's two approaches then. Either escapeAmp="false" in the s:url tag or escape="false" in the s:property tag.

I believe that either of these methods can safely be used for user supplied input as well. I tested this quite carefully today as follows: -

I placed the following string onto an action "abc&testParam2=2". I then pulled this off and turned it into a URL using the s:url tag and s:property tag as shown above (escapeAmp="false"). This produced a URL with the embedded "&" encoded as "%28" (presumably by the s:param tag) and the separator "&" encoded as "&" (presumably encoded by the property). To be absolutely certain I targeted this URL at an action with setTestParam1 (String) and setTestParam2 (int) setter methods. testParam1 was populated with the entire string correctly decoded and testParam2 was not set. I think the resultant URL was XHTML compliant as well.

Thanks for comments from yourself and Dave Newton. I think I've got this clear now.

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2414) Tags and do not encode URLs

["Steve Higham (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46092#action_46092 ] 

Steve Higham commented on WW-2414:
----------------------------------

Wes, Thanks for the links - I've has a quick look at them but I will return...

My problem is that I am targeting an action with "public void setParam1 (...)" type methods. If I call this with "...myaction.action?param1=1&param2=2" then everything works fine. However if the URL is "...myaction.action?param1=1&param2=2" then an OGNL exception is thrown. I suspect that Struts is not the only system that insists on "&" as a parameter separator.

I fully appreciate this is a big problem if you need your pages to be XHTML compliant. However to force people to switch off & encoding (via escapeAmp="false") in order to create valid URL's cannot be correct. Possibly the separator should be configurable. However I think that encoding rules should be applied to the parameters separately and should exclude the separator.

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2414) Tags and do not encode URLs

["Wes Wannemacher (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46090#action_46090 ] 

Wes Wannemacher commented on WW-2414:
-------------------------------------

Steve, some useful links on the topic - 

http://www.w3.org/TR/2008/REC-xml-20081126/#syntax (the second paragraph of this section is pretty clear you can't use & in xml)
http://labs.apache.org/webarch/uri/rfc/rfc3986.html (RFC briefly touching on & character)
http://www.456bereastreet.com/archive/200406/ampersands_and_validation/ (a good explanation of the problem and why & is right for situations like s:a and most of the time with s:url.

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2414) Tags and do not encode URLs

["Steve Higham (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46088#action_46088 ] 

Steve Higham commented on WW-2414:
----------------------------------

I've done some more experimenting.

Setting encode="false" does not stop the & separator from being encoded.

Setting escapeAmp="false" does stop the & separator from being encoded. In my case this is fine as I know the parameters are generated programmatically and will never contain embedded &. However the reason to encode parameters is to allow parameters which may contain special symbols including &.

I think the correct way forward is as follows: -

The & symbol when user as a parameter separator should never be encoded - this creates invalid URL's.

I'm not sure of the value of escapeAmp. If you are encoding the parameters (presumably as a security mechanism) then embedded & characters should always be encoded. To not do so may expose you to security issues?

I can't think of a use case for encode="false". However, if it is supported, then it should work correctly.


> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: James Mitchell
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (WW-2414) Tags and do not encode URLs

["Rene Gielen (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rene Gielen updated WW-2414:
----------------------------

    Fix Version/s:     (was: 2.0.12)
                   2.0.11.1

The fix goes into 2.0.11.1

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio Gandola
>            Assignee: Rene Gielen
>            Priority: Critical
>             Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.