[
https://issues.apache.org/jira/browse/WW-5294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699718#comment-17699718
]
Erica Kane commented on WW-5294:
--------------------------------
I want to make sure I'm understanding this correctly, because this has
significant implications for us.
If I have a page that only uses s:url and s:a tags to provide links to other
pages, but has no active functionality itself and is never the target of an
action, using those tags is dangerous? And if that's the case, why do I only
see the warning for s:url tags and not for s:a tags? Is s:a safe, but not s:url?
If both tags are dangerous, then this should be a bug report about *not* having
a warning for the s:a tag on public pages. We have far more of those and
replacing them would be a bit of a headache. Obviously I will do it if there is
a security issue.
I did see the link about never exposing JSP files directly but it isn't clear
{_}why{_}.
> s:url tag usage in a public page triggers a warning to not expose JSP pages
> directly
> -------------------------------------------------------------------------------------
>
> Key: WW-5294
> URL: https://issues.apache.org/jira/browse/WW-5294
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 6.1.2
> Environment: Ubuntu 20, Java 8, Tomcat 9
> Reporter: Erica Kane
> Priority: Major
> Fix For: 6.2.0
>
>
> I have a number of public pages that use the {{<s:a>}} tags with no issues.
> But one page uses an {{<s:url>}} tag, and every time it is visited I get a
> warning on our logs the Action invocation context is null, and that JSP pages
> should not be exposed directly. This is an informational page only, and I
> can't think why the URL tag is unsafe to use while the a tag is safe. I am
> assuming this is a bug, but of course if there is an issue with the URL tag
> on a public page I would like to know.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
