We're finishing up our first Struts 2 project (ver 2.1.6) and a security scan has shown that the <s:hidden> tag is vulnerable to cross site scripting because it does not encode special characters. This feels like a bug, but is it? We've since learned to use the scope interceptor, however there are still times we'd like to use <s:hidden> but can't unless we clean the data ourselves. We've found that the <s:property> tag does HTML Encoding, and the <s:url> and <s:a> tags do URI Encoding, and feel the framework should also cleanse <s:hidden>.
Any thoughts? Jon Redfield Software Engineer ---------------------------------------------------------------------- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.