Struts 2
  1. Struts 2
  2. WW-3608

Java Template defaults to opening up a XSS vulnerability

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: 2.3.1
    • Labels:
      None

      Description

      The following components do not escape input by default on submission: FileHandler, HiddenHandler, PasswordHandler, ResetHandler, SelectHandler, SubmitHandler, and TextFieldHandler. This opens up an XSS vulnerability by default.

      They currently do something like:

      .addIfExists("value", params.get("nameValue"), false)

      instead of:

      .addIfExists("value", params.get("nameValue"), true)

      I vote it defaults to escaping. Having an attribute added to toggle it would be nice too.

        Issue Links

          Activity

          Lukasz Lenart made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Maurizio Cucchiara made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s 2.3 [ 12315916 ]
          Resolution Duplicate [ 3 ]
          Maurizio Cucchiara made changes -
          Link This issue is duplicated by WW-3597 [ WW-3597 ]
          Maurizio Cucchiara made changes -
          Field Original Value New Value
          Assignee Maurizio Cucchiara [ maurizio.cucchiara ]
          Dustin Digmann created issue -

            People

            • Assignee:
              Maurizio Cucchiara
              Reporter:
              Dustin Digmann
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development