struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Maurizio Cucchiara (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (WW-3608) Java Template defaults to opening up a XSS vulnerability
Date Thu, 28 Apr 2011 08:06:03 GMT

     [ https://issues.apache.org/jira/browse/WW-3608?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Maurizio Cucchiara resolved WW-3608.
------------------------------------

       Resolution: Duplicate
    Fix Version/s: 2.3

> Java Template defaults to opening up a XSS vulnerability
> --------------------------------------------------------
>
>                 Key: WW-3608
>                 URL: https://issues.apache.org/jira/browse/WW-3608
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Java Templates
>            Reporter: Dustin Digmann
>            Assignee: Maurizio Cucchiara
>             Fix For: 2.3
>
>
> The following components do not escape input by default on submission: FileHandler, HiddenHandler,
PasswordHandler, ResetHandler, SelectHandler, SubmitHandler, and TextFieldHandler.  This opens
up an XSS vulnerability by default.
> They currently do something like:
> .addIfExists("value", params.get("nameValue"), false)
> instead of:
> .addIfExists("value", params.get("nameValue"), true)
> I vote it defaults to escaping.  Having an attribute added to toggle it would be nice
too.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message