2008/1/14, GF <[EMAIL PROTECTED]>: > > > Fabio, one little question. > > I don't see how this code can write the parameter passed to the JSP > > page. Probably you pasted the wrong code in the <s:url> part. > > Just add (i.e. in IE6) after the ? the following query string: > >'"><script>alert('helloworld')</script>
Sorry again Fabio, but I need to understand: the querystring does not seem to have a "param=value" structure, and <s:url> has "test" as action, and does not take any dynamic value (i.e. parameter), but maybe I am missing something. Antonio