XSS vulnerability in javatemplates plugin
-----------------------------------------
Key: WW-3597
URL: https://issues.apache.org/jira/browse/WW-3597
Project: Struts 2
Issue Type: Bug
Components: Plugin - Java Templates
Affects Versions: 2.2.1.1
Reporter: Gareth Faires
Priority: Critical
Attachments: javatemplates-xss.patch
Many of the component handlers do not escape the value attribute. In fact they
have been deliberately set to not escape their output. This enables reflective
XSS on any page which uses the struts tags where the value is not manually
escaped.
The javatemplates plugin is increasingly being used instead of the default
Freemarker renderer because of its performance benefits. The Freemarker
renderer escapes values correclty therefore switching over to the javatemplates
plugin can automatically make your website vulnerable.
Also, the documentation should make it very clear which attributes are not
encoded, for example, the anchor tag's href attribute is not encoded, therefore
if you don't use the url tag to construct your url, then you need to make sure
you escape any untrusted data you use to construct the url.
I have updated all of the javatemplates plugins' tag handlers to be consistent
with the Freemarker renderer and will attach a patch.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
