I don't think this is a critical problem sheerly because the high
prevalence of such vulnerabilities means some of the responsibility
falls on the developer to not trust user-entered data.. The specific
vulnerability is that when includeParams != none, the request URL was
rendered unmodified within the HTML because the developer chose to use
it in an anchor.
I guess the proposal is that if encode=true, the entire URL query
section should be URL encoded and not just the additional parameters? Is
that right?
Interestingly, encoding may not completely eliminate the vulnerability.
In IE6 <a href="javascript%3Aalert%28%27hello%27%29"> doesn't execute
the javascript, but also doesn't issue the request for a page of that name.
GF wrote:
Of course,
to raise this security issues, the includeParams attribute parameter
of <s:url should be different by "none"
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
