Are you suggesting that javascript injection in href be disabled to prevent XSS attacks?
Martin-- ----- Original Message ----- From: "GF" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <user@struts.apache.org> Sent: Tuesday, January 15, 2008 3:27 AM Subject: Re: Feedback: WW-2414, XSS attack is possible if using <s:url ...> and <s:a ...> > > Hi Antonio, as I mentioned in a previous post, it's not so simple as the > > href attribute of s:a can legally contain javascript or vbscript. > > I think that the problem about <a> in href attribute is the double > quote " character, because it will close the href attribute, then with > a greater than symbol, you will close the <a> too and finally you can > inject any kind of Javascript inside the page. > I think that <s:a> can implement this kind of checking, no? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
