We're finishing up our first Struts 2 project (ver 2.1.6) and a security scan 
has shown that the <s:hidden> tag is vulnerable to cross site scripting because 
it does not encode special characters.  This feels like a bug, but is it?  
We've since learned to use the scope interceptor, however there are still times 
we'd like to use <s:hidden> but can't unless we clean the data ourselves.  
We've found that the <s:property> tag does HTML Encoding, and the <s:url> and 
<s:a> tags do URI Encoding, and feel the framework should also cleanse 
<s:hidden>.

Any thoughts?

Jon Redfield
Software Engineer

----------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee 
and may contain information that is privileged and confidential. If the reader 
of the message is not the intended recipient or an authorized representative of 
the intended recipient, you are hereby notified that any dissemination of this 
communication is strictly prohibited. If you have received this communication 
in error, notify the sender immediately by return email and delete the message 
and any attachments from your system.

Reply via email to