Isn't XSS usually an attack for information which changes often (mutable
data, blog comments, etc.) and which should NOT normally include your
site's system messages? So, if your message files get modified to
include XSS code then you either have an employee you should FIRE or a
HACKER which is a bigger problem in and of itself.
As you can see from my above point of view, I happen to view this as a
non-issue as well as a useful feature as it is implemented now.
Regards,
David G. Friedman
>>> I have some code like this:
>>>
>>> ctx.getMessages().add(new SimpleMessage(
>>> "Record ''{0}'' deleted", recordName));
>>>
>>> If recordName contains HTML characters they are output unescaped
>>> by the
>>> <stripes:messages> tag. This contrasts with field validation errors,
>>> which are correctly escaped. Shouldn't all the error handling and
>>> messaging stuff work the same way, and escape HTML characters?
>>>
>> --
>> Alan Burlison
>>
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
