I posted this bug report on the issue tracker: https://issues.apache.org/struts/browse/WW-2414
In simple words, if you use <s:url ...> to build an url that is used with <s:a ...> the HTML written out will not have the "querystring" encoded.. and this lead to very dangerous XSS attacks. <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <%@ taglib prefix="s" uri="/struts-tags"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Insert title here</title> </head> <body> <s:url id="xssTest" action="test" namespace="/test" encode="true" /> <s:a href="%{xssTest}">XSS Test</s:a> </body> </html> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp? >'"><script>alert(document.cookie)</script> I tested this .jsp inside the 2.0.11 blank application. I think it's a severe problem, because every Struts2 website using this way <s:url and <s:a can be attacked with XSS. Please give some feedback. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]