You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "DavidZaz (JIRA)" <ji...@apache.org> on 2009/08/18 23:16:59 UTC

[jira] Updated: (WW-3224) s:actionerror and Cross-Site Scripting

     [ https://issues.apache.org/struts/browse/WW-3224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

DavidZaz updated WW-3224:
-------------------------

    Issue Type: Improvement  (was: Bug)

> s:actionerror and Cross-Site Scripting
> --------------------------------------
>
>                 Key: WW-3224
>                 URL: https://issues.apache.org/struts/browse/WW-3224
>             Project: Struts 2
>          Issue Type: Improvement
>    Affects Versions: 2.0.14
>            Reporter: DavidZaz
>
> Currently, the s:property tag has an attribute named "escape" which allows users to determine whether HTML strings should be escaped when displaying content to the screen. The s:actionerror does not have any equivalent functionality and this can be used by Cross Site Scripting attacks. For example,
> <s:textfield name="myField" />
> <s:actionerror />
> public String execute() {
> if (myField != null && myField.length() > 50) {
> addActionError("The provided user text: \"" + myField + "\" exceeds the maximum length of 50 for the field.");
> return "input";
> }
> Suppose that a user enters some malicious javascript in the myField which is longer than 50 characters. When the Action returns to the form, the malicious javascript in the s:actionerror (but not in the s:textfield) will execute on the user's machine. It would be very useful if the s:actionerror tag included some functionality to escape this malicious HTML.
> Thanks!

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.