Struts 2
  1. Struts 2
  2. WW-3608

Java Template defaults to opening up a XSS vulnerability

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: 2.3.1
    • Labels:
      None

      Description

      The following components do not escape input by default on submission: FileHandler, HiddenHandler, PasswordHandler, ResetHandler, SelectHandler, SubmitHandler, and TextFieldHandler. This opens up an XSS vulnerability by default.

      They currently do something like:

      .addIfExists("value", params.get("nameValue"), false)

      instead of:

      .addIfExists("value", params.get("nameValue"), true)

      I vote it defaults to escaping. Having an attribute added to toggle it would be nice too.

        Issue Links

          Activity

          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Resolved Resolved
          8d 15h 33m 1 Maurizio Cucchiara 28/Apr/11 09:04
          Resolved Resolved Closed Closed
          224d 11h 49m 1 Lukasz Lenart 08/Dec/11 19:54
          Lukasz Lenart made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Maurizio Cucchiara made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s 2.3 [ 12315916 ]
          Resolution Duplicate [ 3 ]
          Maurizio Cucchiara made changes -
          Link This issue is duplicated by WW-3597 [ WW-3597 ]
          Maurizio Cucchiara made changes -
          Field Original Value New Value
          Assignee Maurizio Cucchiara [ maurizio.cucchiara ]
          Dustin Digmann created issue -

            People

            • Assignee:
              Maurizio Cucchiara
              Reporter:
              Dustin Digmann
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development