Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-2427

s:a does not HTML-escape "href" attribute value

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.0.11
    • 2.0.11.1, 2.1.1
    • Plugin - Tags
    • None

    Description

      The <s:a> does not escape with HTML entities the "href" attribute value. This can lead to invalid HTML and, in certain cases, to
      XSS attacks.
      Probably a new attribute, that specify if the escape is enabled or not, should be added.

      Attachments

        Issue Links

          is depended upon by

          Bug - A problem which impairs or prevents the functions of the product. WW-2414 Tags <s:url> and <s:a> do not encode URLs

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              mrdon Donald J. Brown
              brenmcguire Antonio Petrelli
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: