[
https://issues.apache.org/jira/browse/WW-5623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tran Quac updated WW-5623:
--------------------------
Affects Version/s: 7.1.1
> XSS in PostbackResult.doExecute()
> ---------------------------------
>
> Key: WW-5623
> URL: https://issues.apache.org/jira/browse/WW-5623
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 7.1.1
> Reporter: Tran Quac
> Priority: Major
>
> h2. Summary
> PostbackResult.doExecute() at line 107 embeds finalLocation into a form
> action attribute via raw string concatenation without HTML encoding. The
> response Content-Type is text/html (line 103). A double-quote character in
> the location breaks out of the attribute, enabling reflected XSS.
> This is an encoding inconsistency: form field names and values at lines
> 218-219 ARE properly URL-encoded via URLEncoder.encode(), but the form action
> attribute was not encoded at all.
> h2. Changes
> * {*}PostbackResult.java{*}: Add encodeHtml() method to escape &, ", <, > in
> finalLocation before embedding in the HTML form tag. Consistent with the
> existing encoding approach for form field values.
> h2. Impact
> When a developer uses PostbackResult with an OGNL expression referencing a
> user-controllable property (a documented framework feature for dynamic
> routing), an attacker can inject arbitrary HTML attributes and elements via
> the form action attribute.
> h2. Refer
> [https://github.com/apache/struts/pull/1653]
> [https://github.com/apache/struts/pull/1653/changes/1b2242487179f38009d118707b8e70ab396a3d27]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
