I posted this bug report on the issue tracker:
https://issues.apache.org/struts/browse/WW-2414
In simple words, if you use <s:url ...> to build an url that is used
with <s:a ...> the HTML written out will not have the "querystring"
encoded.. and this lead to very dangerous XSS attacks.
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}">XSS Test</s:a>
</body>
</html>
http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?
>'"><script>alert(document.cookie)</script>
I tested this .jsp inside the 2.0.11 blank application.
I think it's a severe problem, because every Struts2 website using
this way <s:url and <s:a can be attacked with XSS.
Please give some feedback.
Thank you.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
