[
https://issues.apache.org/struts/browse/WW-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=43006#action_43006
]
Jeromy Evans commented on WW-2427:
----------------------------------
It's deliberate that href is the only attribute in this template that isn't
HTML-escaped.
Automatically HTML-escaping the href attribute will not be satisfactory for a
URL value
Automatically URL-encoding the href attribute will not be satisfactory for a
javascript/vbscript value
Adding an encode attribute (default false) that URLEncoder.encode's href when
true seems to be part of the solution. It may also be appropriate to
html-escape the attribute when encode is false.
> s:a does not encode "href" attribute value
> ------------------------------------------
>
> Key: WW-2427
> URL: https://issues.apache.org/struts/browse/WW-2427
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tags
> Affects Versions: 2.0.11
> Reporter: Antonio Petrelli
>
> The <s:a> does not encode with HTML entities the "href" attribute value. This
> can lead to invalid HTML and, in certain cases, to
> XSS attacks.
> Probably a new attribute, that specify if the encoding is enabled or not,
> should be added.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
