2008/1/12, GF <[EMAIL PROTECTED]>: > http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp? > >'"><script>alert(document.cookie)</script> > > I tested this .jsp inside the 2.0.11 blank application. > I think it's a severe problem, because every Struts2 website using > this way <s:url and <s:a can be attacked with XSS.
It looks like a critical bug (security exploit): the URL should be parsed, separating the query string into parameters. Thoughts? Antonio --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]