This is my first posting to this list, so excuse me if this is an issue that's already been addressed.
My concern is with the XSS vulnerability in the following use case: <s:text name="resource.key"> <s:param value="param1"/> </s:text> It seems (Struts 2.1.8.1) that there is no mechanism in s:text or s:param to do HTML escaping. If param1 contains user input then this opens the door to XSS attacks. The easiest solution I can see is to modify the code to <s:text var="v" name="resource.key"> <s:param value="param1"/> </s:text> <s:property value="v"/> This works, but it is a lot of work. It seems to me it would be better if Struts2 supported <s:text name="resource.key" escape="true"> <s:param value="param1"/> </s:text> or, better yet, had escape="true" as its default. Is there another way round this problem which I am missing? Thanks, John --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
