[WW-3405] fielderror -tag does not escape the error message if param tag is used - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.1.8.1
Fix Version/s: 2.2.1
Component/s: None
Labels:
- cross
- scripting
- site
- vulnerability
- xss
Environment:

Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1

Description

Noticed this when I wanted to have the field contents as part of the error message. In this case, the error message I'm using has ${trackingCode} as part of it and there's a input field in the form named trackingCode. Class error_text is simple class, that colors the text red.

When using fielderror as follows:
<s:fielderror theme="simple" cssClass="error_text" />
If the field trackingCode contains javascript, the script is just printed on the page as part of the error message. Also possible HTML -entities in resource bundle are printed out with the ampersand -> ä is just printed out as it was in the resource bundle.

When using fielderror like this:
<s:fielderror theme="simple" cssClass="error_text" >
<s:param>trackingCode</s:param>
</s:fielderror>
If the field trackingCode contains javascript, the script is executed on page load. Also any HTML -entities in resource bundle are not escaped, hence ä becomes ä on the page.

I think this is an obvious bug, but was unable to find an issue of it.

Attachments

Activity

People

Assignee:: Lukasz Lenart

Reporter:: Petteri Kauko

Votes:: 1 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 10/Mar/10 13:24

Updated:: 14/Jul/10 20:15

Resolved:: 25/Mar/10 11:41