DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=33087>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=33087 Summary: RFE: validator against cross-site scripting Product: Struts Version: 1.2.4 Platform: PC URL: http://www.cert.org/tech_tips/malicious_code_mitigation. html OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Validator Framework AssignedTo: dev@struts.apache.org ReportedBy: [EMAIL PROTECTED] The bean:write tag has the filter attribute as a first and very effective line of defense. However, there may be cases where it is desirable have user input rendered as html and thus set filter="false". Just not render html that is likely to be malicious. Suggestion: have a validator that rejects all kinds of scripts and uncontrolled inclusions (<object, <iframe, ...) see also: http://httpd.apache.org/info/css-security/ P.S.: An alternative might be to have the validator not just reject, but also sanitze if this appears to be feasible -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
