Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
716 views
in Technique[技术] by (71.8m points)

jsp - Make ${} operator XSS safe in Struts 2 (same as tapestry)

As mentioned in http://www.disasterarea.co.uk/blog/xss-vulnerabilities-in-web-frameworks-2/

The ${} is not xss safe in struts 2 while it is safe in tapestry 5.

I am not a Tapestry guy, but I want to know if above is correct.

As far as I know the ${} is part of JSLT and it does not depend on any web frameworks. So if above sentence is correct and the ${} is XSS safe in tapestry, how can we make it safe in struts 2.

Updated:

To test it I run struts2-showcase app, opened modelDrivenmodelDrivenResult.jsp and add below line:

Am I safe  ${name} 

Now when you run the show case and enter <script> alert('xxxx') </script> as gangester name you can see the alert!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
  1. Struts2 <s:property value="name" /> is automatically escaped by default;
  2. JSTL <c:out value="${name}" /> is automatically escaped by default;
  3. JSP EL ${name} is NOT escaped.

You can explicitly escape it with ${fn:escapeXml(name)} , or set the escape to be performed by default creating a custom ELResolver as described in this great article:


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...