Okay, after further research it appears that <s:hidden> DOES filter it's text when rendered, but not when it's value is transferred to the action's property.
The confusion came about because we had an <s:text> tag on the page that referenced the same variable as the <s:hidden> tag, and the <s:text> tag does not clean it's data when rendered. So, in conjunction with the <s:hidden> tag referencing the same field on the action, we have (had) a security problem. Obviously the <s:text> tag should never have referenced a value on the stack as it's truly meant for properties files and changing it to an <s:property> tag has resolved the issue. So, another question for the group: Should the <s:text> tag clean it's data, especially when the "var" attribute is used, or is this by design and we just needed experience to figure this out? My personal vote is that it should have an "HTMLEncode" or "executeJavascript" attribute, as I can see the usefulness of not cleaning the data when pulling from properties files, but by default it should clean the data. From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Tuesday, August 18, 2009 11:19 AM To: Redfield, Jon Subject: RE: Hidden tag does not HTML Encode struts-plugin.xml <bean type="org.apache.struts2.rest.handler.ContentTypeHandler" name="x-www-form-urlencoded" class="org.apache.struts2.rest.handler.FormUrlEncodedHandler" /> http://www.techq.com/source/java/Struts/2.1.6/org/apache/struts2/rest/handler/FormUrlEncodedHandler.html handles application/x=www-form-urlencoded ping back if this does this not handle url encoding for you Martin Gainty ______________________________________________ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > Date: Tue, 18 Aug 2009 09:02:27 -0700 > Subject: Re: Hidden tag does not HTML Encode > From: musa...@gmail.com > To: user@struts.apache.org > > I haven't looked at it yet, but if you think it is a bug, feel free to > open a ticket here: > > https://issues.apache.org/struts/secure/CreateIssue!default.jspa > > and enter as much detail as possible, also if you have a patch for it, > it would help a lot :) > > regards > musachy > > On Tue, Aug 18, 2009 at 8:24 AM, Redfield, Jon<jon_redfi...@adp.com> wrote: > > We're finishing up our first Struts 2 project (ver 2.1.6) and a security > > scan has shown that the <s:hidden> tag is vulnerable to cross site > > scripting because it does not encode special characters. This feels like a > > bug, but is it? We've since learned to use the scope interceptor, however > > there are still times we'd like to use <s:hidden> but can't unless we clean > > the data ourselves. We've found that the <s:property> tag does HTML > > Encoding, and the <s:url> and <s:a> tags do URI Encoding, and feel the > > framework should also cleanse <s:hidden>. > > > > Any thoughts? > > > > Jon Redfield > > Software Engineer > > > > ---------------------------------------------------------------------- > > This message and any attachments are intended only for the use of the > > addressee and may contain information that is privileged and confidential. > > If the reader of the message is not the intended recipient or an authorized > > representative of the intended recipient, you are hereby notified that any > > dissemination of this communication is strictly prohibited. If you have > > received this communication in error, notify the sender immediately by > > return email and delete the message and any attachments from your system. > > > > > > -- > "Hey you! Would you help me to carry the stone?" Pink Floyd > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > ________________________________________ Windows Live: Make it easier for your friends to see what you're up to on Facebook. Find out more. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org