I haven't looked at it yet, but if you think it is a bug, feel free to
open a ticket here:

https://issues.apache.org/struts/secure/CreateIssue!default.jspa

and enter as much detail as possible, also if you have a patch for it,
it would help a lot :)

regards
musachy

On Tue, Aug 18, 2009 at 8:24 AM, Redfield, Jon<jon_redfi...@adp.com> wrote:
> We're finishing up our first Struts 2 project (ver 2.1.6) and a security scan 
> has shown that the <s:hidden> tag is vulnerable to cross site scripting 
> because it does not encode special characters.  This feels like a bug, but is 
> it?  We've since learned to use the scope interceptor, however there are 
> still times we'd like to use <s:hidden> but can't unless we clean the data 
> ourselves.  We've found that the <s:property> tag does HTML Encoding, and the 
> <s:url> and <s:a> tags do URI Encoding, and feel the framework should also 
> cleanse <s:hidden>.
>
> Any thoughts?
>
> Jon Redfield
> Software Engineer
>
> ----------------------------------------------------------------------
> This message and any attachments are intended only for the use of the 
> addressee and may contain information that is privileged and confidential. If 
> the reader of the message is not the intended recipient or an authorized 
> representative of the intended recipient, you are hereby notified that any 
> dissemination of this communication is strictly prohibited. If you have 
> received this communication in error, notify the sender immediately by return 
> email and delete the message and any attachments from your system.
>



-- 
"Hey you! Would you help me to carry the stone?" Pink Floyd

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to