Affects Version/s: 2.3.24, 2.3.28
Fix Version/s: 2.5.x
Operating System: Windows 7(N/A).
Application Server: Tomcat 6(any server running on JRE1.6 or before JRE).
Developloment Framework: Struts 2.3.28, 22.214.171.124.
Browser: FireFox 38.0.1.
<s:include> tag and JspTemplateEngine use
(I use <s:include> tag.)
The included page is encoded by response character encoding(default is ISO-8859-1(ServletResponse)).
But encoded result is decoded by 'request' character encoding(default is UTF-8(@Inject(StrutsConstants.STRUTS_I18N_ENCODING))).
org.apache.struts2.components.Include use wrong character encoding.
If request and response character encoding are specifically configured to same character encoding,
there are no problems.
However, if request and response character encoding are not specifically configured,
(or <%@ page contentType="text/html; charset=ISO-8859-1" %> is written in JSP only,)
the included page is encoded by ISO-8859-1 and decoded by UTF-8.
By using old decoding rule of UTF-8(enable on JRE1.5.0_16 or before and JRE1.6.0_10 or before),
XSS vulnerability occurs, even if input value is sanitized when output as <s:textfield>.