[ https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46917#action_46917 ]
Paul Benedict commented on STR-3191: ------------------------------------ Since attribute values are not executable content, I can't see why we would continue allowing those values through unfiltered. It may not be 100% compatible with anyone who has filtered, I grant you that, but it is keeping open a scripting vulnerability. I don't see how it's possible to address it without creating a compatibility issue. > Sufficently filter HTML tag attribute names and values > ------------------------------------------------------ > > Key: STR-3191 > URL: https://issues.apache.org/struts/browse/STR-3191 > Project: Struts 1 > Issue Type: Bug > Components: Tag Libraries > Affects Versions: 1.2.9, 1.3.10 > Reporter: Paul Benedict > Assignee: Paul Benedict > Priority: Blocker > Fix For: 1.3.11, 1.4.0 > > Attachments: STR-3191-patch.txt > > > Allows remote attackers to inject arbitrary web script or HTML via > unspecified vectors related to insufficient quoting of parameters. > * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025 > * http://support.novell.com/security/cve/CVE-2008-2025.html -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.