Can someone explain me the use of the "encode" attribute of <s:url ..> ?
I'm trying to do something like this:
<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}"></s:a>
http://localhost:8080/myTest/content/hello.action?>'"><script>alert(document.cookie)</script>
But.. when it output the <a ..></a> it doesn't encode the query string
and this cause the Javascript being executed and all the XSS risks
related to this.
I'm trying this code with Struts 2.0.11
Is it normal?!
And.. I have taken a very quick look into the class:
org.apache.struts2.components.URL revision 595746
There is the "encode" properties.. the getters and setters.. but where
is it checked and the URL encoded?
Maybe I'm just wrong and I'm missing to do something banal.
Anyone can give me an hint?
Thank you!
GF
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
