If you are not familiar with what I mean by cross site scripting (XSS), here are two links with information about it:
http://www.cgisecurity.com/articles/xss-faq.shtml http://www.cert.org/advisories/CA-2000-02.html According to the first FAQ above, some of the things that should be done to protect your web application are: "Never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. Converting < and > to < and > is also suggested when it comes to script output. Remember XSS holes can be damaging and costly to your business if abused. Often attackers will disclose these holes to the public, which can erode customer and public confidence in the security and privacy of your organization's site. Filtering < and > alone will not solve all cross site scripting attacks and it is suggested you also attempt to filter out ( and ) by translating them to ( and ), and also # and & by translating them to # (#) and & (&)." I saw some old discussions on the Struts-Dev list about default behavior in the <bean:write> custom tag. Checking recent documentation, the default behavior is to do this sort of filtering/conversion now for <bean:write>. So, that particular aspect is covered as long as I don't explicitly set the "filter" attribute to "false" in my <bean:write> tags. I didn't see any discussion of how Struts processes request parameters when auto-populating form beans. Is similar filtering/conversion being done there as well? Are there any other aspects of this particular security issue that I need to be concerned about while developing my web application with Struts 1.1-b2? - Mike Van Riper mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
