You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by Jordi Fernandez <jo...@esilog.com> on 2010/01/15 10:11:06 UTC

No escape in hidden and other input tags

The s2 hidden tag (and other input tags) does no escape html characters by
default as the property tag does. This can lead easily to XSS attacks if
you develop a stateless application in which the client is maintaining
state. Is there a good reason for this? I think a sensible default would be
to escape html in all input tags. What do you think?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org