As mentioned in http://www.disasterarea.co.uk/blog/xss-vulnerabilities-in-web-frameworks-2/
The ${} is not xss safe in struts 2 while it is safe in tapestry 5.
I am not a Tapestry guy, but I want to know if above is correct.
As far as I know the ${} is part of JSLT and it does not depend on any web frameworks. So if above sentence is correct and the ${} is XSS safe in tapestry, how can we make it safe in struts 2.
Updated:
To test it I run struts2-showcase app, opened modelDriven\modelDrivenResult.jsp and add below line:
Am I safe ${name}
Now when you run the show case and enter <script> alert('xxxx') </script> as gangester name you can see the alert!
- Struts2
<s:property value="name" />is automatically escaped by default; - JSTL
<c:out value="${name}" />is automatically escaped by default; - JSP EL
${name}is NOT escaped.
You can explicitly escape it with ${fn:escapeXml(name)} , or set the escape to be performed by default creating a custom ELResolver as described in this great article:
Short answer: make it safe either on entry into the app, or on the way to the view layer.
Tapestry's ${} is safe because it's not using JSP/JSP EL. Not escaping stuff is one of the things you lose by using JSP EL's ${} over things like <c:out> and so on.
来源:https://stackoverflow.com/questions/23365225/make-operator-xss-safe-in-struts-2-same-as-tapestry