You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Antonio Petrelli (JIRA)" <ji...@apache.org> on 2008/01/16 09:48:05 UTC
[jira] Created: (WW-2427) s:a does not encode "href" attribute
value
s:a does not encode "href" attribute value
------------------------------------------
Key: WW-2427
URL: https://issues.apache.org/struts/browse/WW-2427
Project: Struts 2
Issue Type: Bug
Components: Plugin - Tags
Affects Versions: 2.0.11
Reporter: Antonio Petrelli
The <s:a> does not encode with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
XSS attacks.
Probably a new attribute, that specify if the encoding is enabled or not, should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-2427) s:a does not encode "href" attribute
value
Posted by "Jeromy Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=43006#action_43006 ]
Jeromy Evans commented on WW-2427:
----------------------------------
It's deliberate that href is the only attribute in this template that isn't HTML-escaped.
Automatically HTML-escaping the href attribute will not be satisfactory for a URL value
Automatically URL-encoding the href attribute will not be satisfactory for a javascript/vbscript value
Adding an encode attribute (default false) that URLEncoder.encode's href when true seems to be part of the solution. It may also be appropriate to html-escape the attribute when encode is false.
> s:a does not encode "href" attribute value
> ------------------------------------------
>
> Key: WW-2427
> URL: https://issues.apache.org/struts/browse/WW-2427
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Reporter: Antonio Petrelli
>
> The <s:a> does not encode with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
> XSS attacks.
> Probably a new attribute, that specify if the encoding is enabled or not, should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (WW-2427) s:a does not HTML-escape "href"
attribute value
Posted by "Rene Gielen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rene Gielen resolved WW-2427.
-----------------------------
Resolution: Fixed
Fix Version/s: 2.0.12
Applied Don's fix to 2.0.x tree
> s:a does not HTML-escape "href" attribute value
> -----------------------------------------------
>
> Key: WW-2427
> URL: https://issues.apache.org/struts/browse/WW-2427
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Reporter: Antonio Petrelli
> Assignee: Rene Gielen
> Fix For: 2.0.12, 2.1.1
>
>
> The <s:a> does not escape with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
> XSS attacks.
> Probably a new attribute, that specify if the escape is enabled or not, should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WW-2427) s:a does not HTML-escape "href" attribute
value
Posted by "Rene Gielen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rene Gielen updated WW-2427:
----------------------------
Assignee: Don Brown (was: Rene Gielen)
Closer Award: Just reassigning back to Don since he applied the patches to the trunk, I just backported them to 2.0.x
> s:a does not HTML-escape "href" attribute value
> -----------------------------------------------
>
> Key: WW-2427
> URL: https://issues.apache.org/struts/browse/WW-2427
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Reporter: Antonio Petrelli
> Assignee: Don Brown
> Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:a> does not escape with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
> XSS attacks.
> Probably a new attribute, that specify if the escape is enabled or not, should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WW-2427) s:a does not HTML-escape "href" attribute
value
Posted by "Antonio Petrelli (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonio Petrelli updated WW-2427:
---------------------------------
Description:
The <s:a> does not escape with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
XSS attacks.
Probably a new attribute, that specify if the escape is enabled or not, should be added.
was:
The <s:a> does not encode with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
XSS attacks.
Probably a new attribute, that specify if the encoding is enabled or not, should be added.
Summary: s:a does not HTML-escape "href" attribute value (was: s:a does not encode "href" attribute value)
Thanks Jeromy, I rewrote the description and the summary replacing the tern "encode" with "escape".
> s:a does not HTML-escape "href" attribute value
> -----------------------------------------------
>
> Key: WW-2427
> URL: https://issues.apache.org/struts/browse/WW-2427
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Reporter: Antonio Petrelli
>
> The <s:a> does not escape with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
> XSS attacks.
> Probably a new attribute, that specify if the escape is enabled or not, should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (WW-2427) s:a does not HTML-escape "href"
attribute value
Posted by "Don Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Don Brown resolved WW-2427.
---------------------------
Resolution: Fixed
Assignee: Don Brown
Simple is good - added the escaping of double quotes.
> s:a does not HTML-escape "href" attribute value
> -----------------------------------------------
>
> Key: WW-2427
> URL: https://issues.apache.org/struts/browse/WW-2427
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Reporter: Antonio Petrelli
> Assignee: Don Brown
> Fix For: 2.1.1
>
>
> The <s:a> does not escape with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
> XSS attacks.
> Probably a new attribute, that specify if the escape is enabled or not, should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (WW-2427) s:a does not HTML-escape "href"
attribute value
Posted by "Rene Gielen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rene Gielen reopened WW-2427:
-----------------------------
Assignee: Rene Gielen (was: Don Brown)
Reopened to apply fix to 2.0.x tree
> s:a does not HTML-escape "href" attribute value
> -----------------------------------------------
>
> Key: WW-2427
> URL: https://issues.apache.org/struts/browse/WW-2427
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Reporter: Antonio Petrelli
> Assignee: Rene Gielen
> Fix For: 2.1.1
>
>
> The <s:a> does not escape with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
> XSS attacks.
> Probably a new attribute, that specify if the escape is enabled or not, should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-2427) s:a does not HTML-escape "href"
attribute value
Posted by "Fabio Gandola (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=43022#action_43022 ]
Fabio Gandola commented on WW-2427:
-----------------------------------
As i wrote in the mailing list discussion, I think that <s:a > should check for the presence of double quotes inside the href attribute because if these are sent to output, they can cause the "href" attribute of <a> to be closed, than with a > the tag itself will be closed and the attacker will be able to inject any kind of data inside the page (i.e javascript that will be automatically executed on page load).
So I think that can be great for <s:a> to check if eventually the value of its href attribute may cause the closing of the generated <a> tag. And one simple thing about this.. is to look for any double quote inside the href value.
> s:a does not HTML-escape "href" attribute value
> -----------------------------------------------
>
> Key: WW-2427
> URL: https://issues.apache.org/struts/browse/WW-2427
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Reporter: Antonio Petrelli
> Fix For: 2.1.1
>
>
> The <s:a> does not escape with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
> XSS attacks.
> Probably a new attribute, that specify if the escape is enabled or not, should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WW-2427) s:a does not HTML-escape "href" attribute
value
Posted by "Rene Gielen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rene Gielen updated WW-2427:
----------------------------
Fix Version/s: (was: 2.0.12)
2.0.11.1
The fix goes into 2.0.11.1
> s:a does not HTML-escape "href" attribute value
> -----------------------------------------------
>
> Key: WW-2427
> URL: https://issues.apache.org/struts/browse/WW-2427
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Reporter: Antonio Petrelli
> Assignee: Rene Gielen
> Fix For: 2.0.11.1, 2.1.1
>
>
> The <s:a> does not escape with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
> XSS attacks.
> Probably a new attribute, that specify if the escape is enabled or not, should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.