struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeromy Evans <>
Subject Re: Feedback: WW-2414, XSS attack is possible if using <s:url ...> and <s:a ...>
Date Sun, 13 Jan 2008 05:11:43 GMT
I don't think this is a critical problem sheerly because the high 
prevalence of such vulnerabilities means some of the responsibility 
falls on the developer to not trust user-entered data..  The specific 
vulnerability is that when includeParams != none, the request URL was 
rendered unmodified within the HTML because the developer chose to use 
it in an anchor.

I guess the proposal is that if encode=true, the entire URL query 
section should be URL encoded and not just the additional parameters? Is 
that right?

Interestingly, encoding may not completely eliminate the vulnerability.  
In IE6 <a href="javascript%3Aalert%28%27hello%27%29"> doesn't execute 
the javascript, but also doesn't issue the request for a page of that name.

GF wrote:
> Of course,
> to raise this security issues, the includeParams attribute parameter
> of <s:url should be different by "none"
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message