Okay, after further research it appears that <s:hidden> DOES filter it's text 
when rendered, but not when it's value is transferred to the action's property. 
 

The confusion came about because we had an <s:text> tag on the page that 
referenced the same variable as the <s:hidden> tag, and the <s:text> tag does 
not clean it's data when rendered.  So, in conjunction with the <s:hidden> tag 
referencing the same field on the action, we have (had) a security problem.  
Obviously the <s:text> tag should never have referenced a value on the stack as 
it's truly meant for properties files and changing it to an <s:property> tag 
has resolved the issue.  

So, another question for the group: Should the <s:text> tag clean it's data, 
especially when the "var" attribute is used, or is this by design and we just 
needed experience to figure this out?  My personal vote is that it should have 
an "HTMLEncode" or "executeJavascript" attribute, as I can see the usefulness 
of not cleaning the data when pulling from properties files, but by default it 
should clean the data.  

From: Martin Gainty [mailto:mgai...@hotmail.com] 
Sent: Tuesday, August 18, 2009 11:19 AM
To: Redfield, Jon
Subject: RE: Hidden tag does not HTML Encode

struts-plugin.xml
<bean type="org.apache.struts2.rest.handler.ContentTypeHandler" 
name="x-www-form-urlencoded" 
class="org.apache.struts2.rest.handler.FormUrlEncodedHandler" />
http://www.techq.com/source/java/Struts/2.1.6/org/apache/struts2/rest/handler/FormUrlEncodedHandler.html

handles application/x=www-form-urlencoded

ping back if this does this not handle url encoding for you
Martin Gainty 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
 
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.





> Date: Tue, 18 Aug 2009 09:02:27 -0700
> Subject: Re: Hidden tag does not HTML Encode
> From: musa...@gmail.com
> To: user@struts.apache.org
> 
> I haven't looked at it yet, but if you think it is a bug, feel free to
> open a ticket here:
> 
> https://issues.apache.org/struts/secure/CreateIssue!default.jspa
> 
> and enter as much detail as possible, also if you have a patch for it,
> it would help a lot :)
> 
> regards
> musachy
> 
> On Tue, Aug 18, 2009 at 8:24 AM, Redfield, Jon<jon_redfi...@adp.com> wrote:
> > We're finishing up our first Struts 2 project (ver 2.1.6) and a security 
> > scan has shown that the <s:hidden> tag is vulnerable to cross site 
> > scripting because it does not encode special characters.  This feels like a 
> > bug, but is it?  We've since learned to use the scope interceptor, however 
> > there are still times we'd like to use <s:hidden> but can't unless we clean 
> > the data ourselves.  We've found that the <s:property> tag does HTML 
> > Encoding, and the <s:url> and <s:a> tags do URI Encoding, and feel the 
> > framework should also cleanse <s:hidden>.
> >
> > Any thoughts?
> >
> > Jon Redfield
> > Software Engineer
> >
> > ----------------------------------------------------------------------
> > This message and any attachments are intended only for the use of the 
> > addressee and may contain information that is privileged and confidential. 
> > If the reader of the message is not the intended recipient or an authorized 
> > representative of the intended recipient, you are hereby notified that any 
> > dissemination of this communication is strictly prohibited. If you have 
> > received this communication in error, notify the sender immediately by 
> > return email and delete the message and any attachments from your system.
> >
> 
> 
> 
> -- 
> "Hey you! Would you help me to carry the stone?" Pink Floyd
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
> 
________________________________________
Windows Live: Make it easier for your friends to see what you're up to on 
Facebook. Find out more.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to