2008/1/14, GF <[EMAIL PROTECTED]>:
>
> > Fabio, one little question.
> > I don't see how this code can write the parameter passed to the JSP
> > page. Probably you pasted the wrong code in the <s:url> part.
>
> Just add (i.e. in IE6) after the ? the following query string:
>
>'"><script>alert('helloworld')</script>Sorry again Fabio, but I need to understand: the querystring does not seem to have a "param=value" structure, and <s:url> has "test" as action, and does not take any dynamic value (i.e. parameter), but maybe I am missing something. Antonio
