You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Antonio Petrelli (JIRA)" <ji...@apache.org> on 2008/01/16 12:26:04 UTC
[jira] Updated: (WW-2427) s:a does not HTML-escape "href" attribute
value
[ https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonio Petrelli updated WW-2427:
---------------------------------
Description:
The <s:a> does not escape with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
XSS attacks.
Probably a new attribute, that specify if the escape is enabled or not, should be added.
was:
The <s:a> does not encode with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
XSS attacks.
Probably a new attribute, that specify if the encoding is enabled or not, should be added.
Summary: s:a does not HTML-escape "href" attribute value (was: s:a does not encode "href" attribute value)
Thanks Jeromy, I rewrote the description and the summary replacing the tern "encode" with "escape".
> s:a does not HTML-escape "href" attribute value
> -----------------------------------------------
>
> Key: WW-2427
> URL: https://issues.apache.org/struts/browse/WW-2427
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Reporter: Antonio Petrelli
>
> The <s:a> does not escape with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
> XSS attacks.
> Probably a new attribute, that specify if the escape is enabled or not, should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.