or "executeJavascript" attribute, as I can see the usefulness
of not cleaning the data when pulling from properties files, but by default it
should clean the data.
From: Martin Gainty [mailto:mgai...@hotmail.com]
Sent: Tuesday, August 18, 2009 11:19 AM
To: Redfield, Jon
Subject:
hum, I am not sure about this, the value of the hidden input is
printed using the "property" tag, from hidden.ftl:
name="${parameters.name?default("")?html}"<#rt/>
<#if parameters.nameValue??>
value="<@s.property value="parameters.nameValue"/>"<#rt/>
musachy
On Tue, Aug 18, 2009 at 8:24 AM, R
I haven't looked at it yet, but if you think it is a bug, feel free to
open a ticket here:
https://issues.apache.org/struts/secure/CreateIssue!default.jspa
and enter as much detail as possible, also if you have a patch for it,
it would help a lot :)
regards
musachy
On Tue, Aug 18, 2009 at 8:24
We're finishing up our first Struts 2 project (ver 2.1.6) and a security scan
has shown that the tag is vulnerable to cross site scripting because
it does not encode special characters. This feels like a bug, but is it?
We've since learned to use the scope interceptor, however there are still
4 matches
Mail list logo
