Uploaded image for project: 'Struts 1'
  1. Struts 1
  2. STR-2332

RFE: validator against cross-site scripting

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.2.4
    • Fix Version/s: Future
    • Component/s: Tag Libraries
    • Labels:
      None
    • Environment:
      Operating System: All
      Platform: PC
    • Bugzilla Id:
      33087

      Description

      The bean:write tag has the filter attribute as a first and very effective line
      of defense.

      However, there may be cases where it is desirable have user input rendered as
      html and thus set filter="false". Just not render html that is likely to be
      malicious.

      Suggestion: have a validator that rejects all kinds of scripts and uncontrolled
      inclusions (<object, <iframe, ...)

      see also: http://httpd.apache.org/info/css-security/

      P.S.: An alternative might be to have the validator not just reject, but also
      sanitze if this appears to be feasible

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              hauser@acm.org Ralf Hauser
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: