A slightly cleaner way would be like this: <s:text name="resource.key" ><s:param><s:property value="param1"/></s:param></s:text>
I think in most cases <s:text> is used for displaying "safe" text that the app either supplies or generates. Obviously if you do use it to echo user supplied data you need to be careful. It would be nice to have a flag like you suggest however it might be difficult to get the behavior exactly right since the text may contain formatting tags and what you really want is to just escape the parameters. On Thu, Feb 18, 2010 at 5:25 PM, John Orr <webskate...@googlemail.com> wrote: > This is my first posting to this list, so excuse me if this is an > issue that's already been addressed. > > My concern is with the XSS vulnerability in the following use case: > > <s:text name="resource.key"> > <s:param value="param1"/> > </s:text> > > It seems (Struts 2.1.8.1) that there is no mechanism in s:text or > s:param to do HTML escaping. If param1 contains user input then this > opens the door to XSS attacks. > > The easiest solution I can see is to modify the code to > > <s:text var="v" name="resource.key"> > <s:param value="param1"/> > </s:text> > <s:property value="v"/> > > This works, but it is a lot of work. It seems to me it would be better > if Struts2 supported > > <s:text name="resource.key" escape="true"> > <s:param value="param1"/> > </s:text> > > or, better yet, had escape="true" as its default. > > Is there another way round this problem which I am missing? > > Thanks, > > John > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
