2008/1/16, Jeromy Evans <[EMAIL PROTECTED]>:
>
> > You forgot a semicolon. The correct link is:
> > Link B
> > And it *is* equivalent.
> >
> > Antonio
> >
> >
> Ah, my bad. Okay, I'm convinced. :-)
>
> On that basis, the anchor tag just needs ?html added to the href
> attribute:
Not this fast J
Antonio Petrelli wrote:
2008/1/16, Jeromy Evans <[EMAIL PROTECTED]>:
Link A
HTML escaped is not equivalent:
Link B
You forgot a semicolon. The correct link is:
Link B
And it *is* equivalent.
Antonio
Ah, my bad. Okay, I'm convinced. :-)
On that basis, the anchor tag just need
2008/1/16, Jeromy Evans <[EMAIL PROTECTED]>:
>
> Link A
>
> HTML escaped is not equivalent:
> Link B
You forgot a semicolon. The correct link is:
Link B
And it *is* equivalent.
Antonio
GF wrote:
It could be a solution, but:
Greet
simply works.
Unfortunately simply HTML Escaping the href attribute isn't
satisfactory. It would corrupt valid javascript.
eg.
Link A
HTML escaped is not equivalent:
Link B
As Martin suggested, you could write code that parses the attribute
> It could be a solution, but:
> Greet
> simply works.
Didn't know.
I'm not very into javascript coding :-)
However I think that preventing double quote in some way, can be good.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For ad
2008/1/15, GF <[EMAIL PROTECTED]>:
> >
> > Or better, escape them with their corresponding entity.
>
> What do you think about
>
> Greet
simply works.
Antonio
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e
> Are you suggesting that javascript injection in href be disabled to prevent
> XSS attacks?
I'm suggesting that is better that the variable inside
Are you suggesting that javascript injection in href be disabled to prevent
XSS attacks?
Martin--
- Original Message -
From: "GF" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List"
Sent: Tuesday, January 15, 2008 3:27 AM
Subject: Re: Feedback: WW-2414, XSS a
>
> Or better, escape them with their corresponding entity.
What do you think about
Well,
> Or better, escape them with their corresponding entity.
>
> Antonio
>
Myabe i'm wrong, but:
In XHTML this is wrong:
because i use double quotes inside a javascript, inside a href tag
delimited by double quotes.
it would be ok to do:
So since can be used to generate a "good" tag,
2008/1/15, GF <[EMAIL PROTECTED]>:
>
> On Jan 15, 2008 2:45 PM, Martin Gainty <[EMAIL PROTECTED]> wrote:
> >
> > Hi Ganfab
> > Are you suggesting the href contents disable javascript to disable XSS
> script attacks?Martin
>
> No, I think that maybe can be useful to think if doing some checks to
> h
On Jan 15, 2008 2:45 PM, Martin Gainty <[EMAIL PROTECTED]> wrote:
>
> Hi Ganfab
> Are you suggesting the href contents disable javascript to disable XSS script
> attacks?Martin
No, I think that maybe can be useful to think if doing some checks to
href attribute of is possible to look for double
Hi Ganfab
Are you suggesting the href contents disable javascript to disable XSS script
attacks?Martin __Disclaimer and
confidentiality noteEverything in this e-mail and any attachments relates to
the official business of Sender. This transmission is
> Hi Antonio, as I mentioned in a previous post, it's not so simple as the
> href attribute of s:a can legally contain javascript or vbscript.
I think that the problem about in href attribute is the double
quote " character, because it will close the href attribute, then with
a greater than symbo
2008/1/15, Jeromy Evans <[EMAIL PROTECTED]>:
>
> Hi Antonio, as I mentioned in a previous post, it's not so simple as the
> href attribute of s:a can legally contain javascript or vbscript.
> This is precisely why the href attribute is not escaped/encoded in the
> template. It's deliberate.
Sor
Antonio Petrelli wrote:
2008/1/14, GF <[EMAIL PROTECTED]>:
I think that there are 2 issues. Both important. One in s:url and the
other in s:a
s:url generates a URL that can contain a malicious query string (it
doesn't encode anything except what is passed with s:param). And this
is not good,
Fabio, I sent a mail to the Struts Developers mailing list about the problem
you reported, please follow the discussion there.
Thanks
Antonio
2008/1/14, Antonio Petrelli <[EMAIL PROTECTED]>:
>
> 2008/1/14, GF <[EMAIL PROTECTED]>:
> >
> > >
> > > Sorry again Fabio, but I need to understand: the qu
2008/1/14, GF <[EMAIL PROTECTED]>:
>
> >
> > Sorry again Fabio, but I need to understand: the querystring does not
> seem
> > to have a "param=value" structure, and has "test" as action, and
> > does not take any dynamic value (i.e. parameter), but maybe I am missing
> > something.
>
> The bug is
>
> Sorry again Fabio, but I need to understand: the querystring does not seem
> to have a "param=value" structure, and has "test" as action, and
> does not take any dynamic value (i.e. parameter), but maybe I am missing
> something.
The bug is calling that page itself (I mean XSS.jsp) passing vi
2008/1/14, GF <[EMAIL PROTECTED]>:
>
> > Fabio, one little question.
> > I don't see how this code can write the parameter passed to the JSP
> > page. Probably you pasted the wrong code in the part.
>
> Just add (i.e. in IE6) after the ? the following query string:
>
>'">alert('helloworld')
Sorr
> Fabio, one little question.
> I don't see how this code can write the parameter passed to the JSP
> page. Probably you pasted the wrong code in the part.
Just add (i.e. in IE6) after the ? the following query string:
>'">alert('helloworld')
2008/1/12, GF <[EMAIL PROTECTED]>:
>
> XSS Test
> ...
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?
> >'">alert(document.cookie)
Fabio, one little question.
I don't see how this code can write the parameter passed to the JSP
page. Probably you pasted the wrong code in the part.
> I think that there are two levels of encoding:
>
> 1) in s:url, the parameters values must be encoded, to create a valid
> (and safe) URL.
> 2) in s:a, the whole URL must be encoded, simply because it is used
> inside an HTML element () between double quotes. For example, '&'
> becomes &
So do y
2008/1/14, GF <[EMAIL PROTECTED]>:
> I think that there are 2 issues. Both important. One in s:url and the
> other in s:a
>
> s:url generates a URL that can contain a malicious query string (it
> doesn't encode anything except what is passed with s:param). And this
> is not good, mainly because whe
> It is a bug, since ganfab (sorry I cannot read your name :-) ) tried
I'm Fabio Gandola.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
I'm trying to understand where the real problem is.
I think that there are 2 issues. Both important. One in s:url and the
other in s:a
s:url generates a URL that can contain a malicious query string (it
doesn't encode anything except what is passed with s:param). And this
is not good, mainly beca
GF wrote:
I think that a good framework is a framework that helps the developer
to not create security issue in his applications.
I agree and Struts2 does that for the most part. Almost every attribute
of every tag in struts2 it HTML escaped. However, the href attribute in
particular ca
Antonio Petrelli wrote:
2008/1/13, Jeromy Evans <[EMAIL PROTECTED]>:
I don't think this is a critical problem sheerly because the high
prevalence of such vulnerabilities means some of the responsibility
falls on the developer to not trust user-entered data..
This is not the case: I thi
ks/
M--
- Original Message -
From: "Dave Newton" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List"
Sent: Sunday, January 13, 2008 10:50 AM
Subject: Re: Feedback: WW-2414, XSS attack is possible if using
and
> Is this an IE-only thing?
>
> When I
Is this an IE-only thing?
When I do this w/ FF or Safari I get an encoded parameter and it doesn't
execute the JavaScript :/
URL's mergeRequestParameters method calls UrlHelper's parseQueryString, which
in turn calls Java's URLEncoder.encode; while I haven't spent a lot of time
tracking execution
--- [EMAIL PROTECTED] wrote:
> There also seems to be a bug with treatment of URLs in AnchorTag classes
> specifically [...]
> tag.setHref("TestAction.action"); // where is this method ?
> [...]
AbstractRemoteCallUIBean.java:public void setHref(String href) {
d.
---
2008/1/13, Jeromy Evans <[EMAIL PROTECTED]>:
> I don't think this is a critical problem sheerly because the high
> prevalence of such vulnerabilities means some of the responsibility
> falls on the developer to not trust user-entered data..
This is not the case: I think it is a bug, since the url
d..?
I think I should update JIRA?
Thanks
Martin
- Original Message -
Wrom: AIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZ
To: "Struts Users Mailing List"
Sent: Sunday, January 13, 2008 12:11 AM
Subject: Re: Feedback: WW-2414, XSS attack is possible if using
and
> I don't think this is a critical problem shee
> I don't think this is a critical problem sheerly because the high
> prevalence of such vulnerabilities means some of the responsibility
> falls on the developer to not trust user-entered data.. The specific
> vulnerability is that when includeParams != none, the request URL was
> rendered unmodi
I don't think this is a critical problem sheerly because the high
prevalence of such vulnerabilities means some of the responsibility
falls on the developer to not trust user-entered data.. The specific
vulnerability is that when includeParams != none, the request URL was
rendered unmodified w
Of course,
to raise this security issues, the includeParams attribute parameter
of
The javascript is executed using Internet Explorer 6 with all of its
patches installed.
The exact query string to do an XSS attack is this
>'">alert(document.cookie)
However I think the problem is not browser related, if you use wrote:
> What browser are you using, and what's the exact query str
What browser are you using, and what's the exact query string being used?
I'm having issues duplicating this.
d.
--- Antonio Petrelli <[EMAIL PROTECTED]> wrote:
> 2008/1/12, GF <[EMAIL PROTECTED]>:
> > http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?
> > >'">alert(document.cookie)
>
2008/1/12, GF <[EMAIL PROTECTED]>:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?
> >'">alert(document.cookie)
>
> I tested this .jsp inside the 2.0.11 blank application.
> I think it's a severe problem, because every Struts2 website using
> this way
I posted this bug report on the issue tracker:
https://issues.apache.org/struts/browse/WW-2414
In simple words, if you use to build an url that is used
with the HTML written out will not have the "querystring"
encoded.. and this lead to very dangerous XSS attacks.
<%@ page language="java" cont
40 matches
Mail list logo
