You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by GF <ga...@gmail.com> on 2008/01/11 15:05:08 UTC

XSS and the "encode" attribute of

Can someone explain me the use of the "encode" attribute of <s:url ..> ?

I'm trying to do something like this:

<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}"></s:a>

http://localhost:8080/myTest/content/hello.action?>'"><script>alert(document.cookie)</script>

But.. when it output the <a ..></a> it doesn't encode the query string
and this cause the Javascript being executed and all the XSS risks
related to this.
I'm trying this code with Struts 2.0.11

Is it normal?!

And.. I have taken a very quick look into the class:
org.apache.struts2.components.URL revision 595746
There is the "encode" properties.. the getters and setters.. but where
is it checked and the URL encoded?

Maybe I'm just wrong and I'm missing to do something banal.
Anyone can give me an hint?

Thank you!
GF

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: XSS and the "encode" attribute of

Posted by Laurie Harper <la...@holoweb.net>.

Please post questions about using Struts to the Struts Users list only. 
The Struts Dev list is for discussing the development and enhancement of 
Struts itself.

http://struts.apache.org/mail.html

GF wrote:
> Can someone explain me the use of the "encode" attribute of <s:url ..> ?
> 
> I'm trying to do something like this:
> 
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}"></s:a>
> 
> http://localhost:8080/myTest/content/hello.action?>'"><script>alert(document.cookie)</script>
> 
> But.. when it output the <a ..></a> it doesn't encode the query string
> and this cause the Javascript being executed and all the XSS risks
> related to this.
> I'm trying this code with Struts 2.0.11
> 
> Is it normal?!
> 
> And.. I have taken a very quick look into the class:
> org.apache.struts2.components.URL revision 595746
> There is the "encode" properties.. the getters and setters.. but where
> is it checked and the URL encoded?
> 
> Maybe I'm just wrong and I'm missing to do something banal.
> Anyone can give me an hint?
> 
> Thank you!
> GF


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org