You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Paul Benedict (JIRA)" <ji...@apache.org> on 2007/08/21 04:59:34 UTC
[jira] Updated: (STR-2332) RFE: validator against cross-site
scripting
[ https://issues.apache.org/struts/browse/STR-2332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Benedict updated STR-2332:
-------------------------------
Component/s: (was: Core)
Taglibs
Fix Version/s: Future
Assignee: (was: Struts Developers)
> RFE: validator against cross-site scripting
> -------------------------------------------
>
> Key: STR-2332
> URL: https://issues.apache.org/struts/browse/STR-2332
> Project: Struts 1
> Issue Type: Improvement
> Components: Taglibs
> Affects Versions: 1.2.4
> Environment: Operating System: All
> Platform: PC
> Reporter: Ralf Hauser
> Priority: Minor
> Fix For: Future
>
>
> The bean:write tag has the filter attribute as a first and very effective line
> of defense.
> However, there may be cases where it is desirable have user input rendered as
> html and thus set filter="false". Just not render html that is likely to be
> malicious.
> Suggestion: have a validator that rejects all kinds of scripts and uncontrolled
> inclusions (<object, <iframe, ...)
> see also: http://httpd.apache.org/info/css-security/
> P.S.: An alternative might be to have the validator not just reject, but also
> sanitze if this appears to be feasible
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.