You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Paul Benedict (JIRA)" <ji...@apache.org> on 2007/08/21 04:59:34 UTC

[jira] Updated: (STR-2332) RFE: validator against cross-site scripting

     [ https://issues.apache.org/struts/browse/STR-2332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Paul Benedict updated STR-2332:
-------------------------------

      Component/s:     (was: Core)
                   Taglibs
    Fix Version/s: Future
         Assignee:     (was: Struts Developers)

> RFE: validator against cross-site scripting
> -------------------------------------------
>
>                 Key: STR-2332
>                 URL: https://issues.apache.org/struts/browse/STR-2332
>             Project: Struts 1
>          Issue Type: Improvement
>          Components: Taglibs
>    Affects Versions: 1.2.4
>         Environment: Operating System: All
> Platform: PC
>            Reporter: Ralf Hauser
>            Priority: Minor
>             Fix For: Future
>
>
> The bean:write tag has the filter attribute as a first and very effective line
> of defense.
> However, there may be cases where it is desirable have user input rendered as
> html and thus set filter="false". Just not render html that is likely to be
> malicious.
> Suggestion: have a validator that rejects all kinds of scripts and uncontrolled
> inclusions (<object, <iframe, ...)
> see also: http://httpd.apache.org/info/css-security/
> P.S.: An alternative might be to have the validator not just reject, but also
> sanitze if this appears to be feasible

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.