Is this an IE-only thing? When I do this w/ FF or Safari I get an encoded parameter and it doesn't execute the JavaScript :/
URL's mergeRequestParameters method calls UrlHelper's parseQueryString, which in turn calls Java's URLEncoder.encode; while I haven't spent a lot of time tracking execution I guess I thought this was the path taken for any GET parameters. d. --- Antonio Petrelli <[EMAIL PROTECTED]> wrote: > 2008/1/13, Jeromy Evans <[EMAIL PROTECTED]>: > > I don't think this is a critical problem sheerly because the high > > prevalence of such vulnerabilities means some of the responsibility > > falls on the developer to not trust user-entered data.. > > This is not the case: I think it is a bug, since the url in <s:url> > should be *parsed* before, extracting the eventual querystring and its > parameters. > It is a bug, since ganfab (sorry I cannot read your name :-) ) tried > to use the <s:param> and it works. > I don't know how <c:url> of JSTL works, but I firmly suppose that it > parses the URL. > > Antonio > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]