> I think that there are two levels of encoding: > > 1) in s:url, the parameters values must be encoded, to create a valid > (and safe) URL. > 2) in s:a, the whole URL must be encoded, simply because it is used > inside an HTML element (<a>) between double quotes. For example, '&' > becomes &
So do you think too that s:a behavior should be modified? By the way, I checked the official wiki page at http://struts.apache.org/2.x/docs/a.html If you just copy&paste the example at the end of it. And after fixing it from some bugs it has..(about some non matching </s:a> and a not valid attribute in <s:param>. Also that code has the XSS vulnerability. I tested it on the struts2-blank-2.0.11 box. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
