I haven't looked at it yet, but if you think it is a bug, feel free to open a ticket here:
https://issues.apache.org/struts/secure/CreateIssue!default.jspa and enter as much detail as possible, also if you have a patch for it, it would help a lot :) regards musachy On Tue, Aug 18, 2009 at 8:24 AM, Redfield, Jon<jon_redfi...@adp.com> wrote: > We're finishing up our first Struts 2 project (ver 2.1.6) and a security scan > has shown that the <s:hidden> tag is vulnerable to cross site scripting > because it does not encode special characters. This feels like a bug, but is > it? We've since learned to use the scope interceptor, however there are > still times we'd like to use <s:hidden> but can't unless we clean the data > ourselves. We've found that the <s:property> tag does HTML Encoding, and the > <s:url> and <s:a> tags do URI Encoding, and feel the framework should also > cleanse <s:hidden>. > > Any thoughts? > > Jon Redfield > Software Engineer > > ---------------------------------------------------------------------- > This message and any attachments are intended only for the use of the > addressee and may contain information that is privileged and confidential. If > the reader of the message is not the intended recipient or an authorized > representative of the intended recipient, you are hereby notified that any > dissemination of this communication is strictly prohibited. If you have > received this communication in error, notify the sender immediately by return > email and delete the message and any attachments from your system. > -- "Hey you! Would you help me to carry the stone?" Pink Floyd --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org