DisplayTag

Ralf Hauser added a comment - 12/Jul/05 2:01 PM a work-around is never to use the property attribute, but always a nested "struts bean:write"

fabrizio giustina added a comment - 03/Sep/05 1:53 PM cross site scripting means that a user could inject a script by passing parameters to the page: the "property" attribute specify a value to be fetched from an object provided server side by the application, not from a parameter. This has nothing to do with cross site scripting

aaron pieper added a comment - 09/Jan/12 11:32 AM I realize this is an old issue - but it seems like it's still pertinent? I agree with the submitter that this tag is vulnerable to cross-site scripting, and I don't understand your dismissal of the issue. You're right, the "property" attribute specifies a value which is fetched from a server-side object, but that doesn't contradict the idea that this would be relevant to cross-site scripting. For example, one might create a web application which allows for users to submit new products, with a product description (500 character field which needs to support special characters). These products, after being retrieved from the database, might be displayed in a table uses display:column tags. Rendering these values with the column tag would render the description tag vulnerable to a cross-site scripting attack. Assuming the software developer wants to continue using the displayTag library, the best workaround is the one Ralf Hauser suggested, but an optional filtering attribute would be much easier to use.