struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dustin Digmann (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WW-3608) Java Template defaults to opening up a XSS vulnerability
Date Tue, 19 Apr 2011 16:32:05 GMT
Java Template defaults to opening up a XSS vulnerability
--------------------------------------------------------

                 Key: WW-3608
                 URL: https://issues.apache.org/jira/browse/WW-3608
             Project: Struts 2
          Issue Type: Bug
          Components: Plugin - Java Templates
            Reporter: Dustin Digmann


The following components do not escape input by default on submission: FileHandler, HiddenHandler,
PasswordHandler, ResetHandler, SelectHandler, SubmitHandler, and TextFieldHandler.  This opens
up an XSS vulnerability by default.

They currently do something like:

.addIfExists("value", params.get("nameValue"), false)

instead of:

.addIfExists("value", params.get("nameValue"), true)

I vote it defaults to escaping.  Having an attribute added to toggle it would be nice too.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message