Good Morning Jeromy
so for my own edification includeParams != none
which essentially covers "HTTP GET" and "HTTP POST" transmissions?
There also seems to be a bug with treatment of URLs in AnchorTag classes
specifically
public class AnchorTagTest extends AbstractUITagTest {
private StringWriter writer = new StringWriter();
private AnchorTag tag;
protected void setUp() throws Exception {
super.setUp();
request.setScheme("http");
request.setServerName("localhost");
request.setServerPort(80);
tag = new AnchorTag();
tag.setPageContext(pageContext);
JspWriter jspWriter = new StrutsMockJspWriter(writer);
pageContext.setJspWriter(jspWriter);
}
public void testActionURL() throws Exception {
tag.setHref("TestAction.action"); // where is this method ?
tag.doStartTag();
tag.doEndTag();
assertTrue(writer.toString().indexOf("href=\"TestAction.action\"")
> -1);
assertEquals("<a href=\"TestAction.action\"></a>",
writer.toString());
}
where AnchorTag has no setHref method..?
I think I should update JIRA?
Thanks
Martin
----- Original Message -----
Wrom: AIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZ
To: "Struts Users Mailing List" <user@struts.apache.org>
Sent: Sunday, January 13, 2008 12:11 AM
Subject: Re: Feedback: WW-2414, XSS attack is possible if using <s:url ...>
and <s:a ...>
> I don't think this is a critical problem sheerly because the high
> prevalence of such vulnerabilities means some of the responsibility
> falls on the developer to not trust user-entered data.. The specific
> vulnerability is that when includeParams != none, the request URL was
> rendered unmodified within the HTML because the developer chose to use
> it in an anchor.
>
> I guess the proposal is that if encode=true, the entire URL query
> section should be URL encoded and not just the additional parameters? Is
> that right?
>
> Interestingly, encoding may not completely eliminate the vulnerability.
> In IE6 <a href="javascript%3Aalert%28%27hello%27%29"> doesn't execute
> the javascript, but also doesn't issue the request for a page of that
name.
>
> GF wrote:
> > Of course,
> > to raise this security issues, the includeParams attribute parameter
> > of <s:url should be different by "none"
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
