[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15217656#comment-15217656 ]
Rene Gielen commented on WW-4507: --------------------------------- [~taromaru] I'm not sure if my analysis above is completely wrong. However, this is an interesting finding and I see your point. Historically we had many issues with solely relying on "standard" encoding querying functions like response.getCharacterEncoding(). That's why the struts.i18n.encoding property was introduced (originally even in webwork). With its help we force a user configurable encoding. Users are responsible for configuring consistent encoding, that is having page encoding match their Struts 2 setup. The best solution to your point is IMO to use consistent encoding both in page encoding, connector setup and struts.i18n.encoding. Besides that, we recommend to use UTF-8 only. See also https://struts.apache.org/docs/s2-028.html This particular issue WW-4507 deals with a platform problem. After talking to the Tomcat guys, we agreed to add additional safety by using their encoding logic where applies to framework calls. But we also said: this is a platform issue, please move to a supported JRE. There is a reason why the old decoding rule was ditched, so we can only encourage our users to move to a modern and less buggy environment. If you feel like the Include component should use response.getCharacterEncoding rather than struts.i18n.encoding, you are invited to open a new issue to let us discuss this, along with possible implications. > Struts 2 XSS vulnerability with <s:textfield> > --------------------------------------------- > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug > Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 > Reporter: brian neisen > Assignee: Rene Gielen > Labels: struts2, vulnerability, xss > Fix For: 2.3.28, 2.5 > > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > <s:textfield> tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag <s:textfield > name="myinput" id="myinput"></s:textfield>, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)