Issue Details (XML | Word | Printable)

Key: DISPL-223
Type: Bug Bug
Status: Closed Closed
Resolution: Incomplete
Priority: Critical Critical
Reporter: Anonymous
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
DisplayTag

column property attribute susceptible to cross-site scripting!!

Created: 12/Jul/05 01:59 PM   Updated: 03/Sep/05 01:53 PM   Resolved: 03/Sep/05 01:53 PM
Return to search
Component/s: HTML Generation
Affects Version/s: 1.0
Fix Version/s: None

Time Tracking:
Original Estimate: 2 hours
Original Estimate - 2 hours
Remaining Estimate: 2 hours
Remaining Estimate - 2 hours
Time Spent: Not Specified
Time Spent - Not Specified

Application server: tomcat 5.5.4


 Description  « Hide
Column tag "property" (http://displaytag.sourceforge.net/tagreference-displaytag-12.html#column) is susceptible to cross-site scripting.
It should offer a 'filter="true"' as existing in http://struts.apache.org/userGuide/struts-bean.html#write

Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Ralf Hauser added a comment - 12/Jul/05 02:01 PM
a work-around is never to use the property attribute, but always a nested "struts bean:write"

[ Permalink | « Hide ]
fabrizio giustina added a comment - 03/Sep/05 01:53 PM
cross site scripting means that a user could inject a script by passing parameters to the page: the "property" attribute specify a value to be fetched from an object provided server side by the application, not from a parameter. This has nothing to do with cross site scripting

Atlassian JIRA (v4.0#466) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.