Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-3224

s:actionerror and Cross-Site Scripting

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.14
    • Fix Version/s: 2.1.8
    • Component/s: None
    • Labels:
      None

      Description

      Currently, the s:property tag has an attribute named "escape" which allows users to determine whether HTML strings should be escaped when displaying content to the screen. The s:actionerror does not have any equivalent functionality and this can be used by Cross Site Scripting attacks. For example,

      <s:textfield name="myField" />
      <s:actionerror />

      public String execute() {

      if (myField != null && myField.length() > 50) {
      addActionError("The provided user text: \"" + myField + "\" exceeds the maximum length of 50 for the field.");
      return "input";
      }

      Suppose that a user enters some malicious javascript in the myField which is longer than 50 characters. When the Action returns to the form, the malicious javascript in the s:actionerror (but not in the s:textfield) will execute on the user's machine. It would be very useful if the s:actionerror tag included some functionality to escape this malicious HTML.

      Thanks!

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              dzaz David

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment