Skip to content

Commit

Permalink
Adding a check for double quotes to help prevent XSS attacks
Browse files Browse the repository at this point in the history
WW-2427


git-svn-id: https://svn.apache.org/repos/asf/struts/struts2/trunk@615212 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
Donald J. Brown committed Jan 25, 2008
1 parent 7e169a9 commit dae026a
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 2 deletions.
4 changes: 2 additions & 2 deletions core/src/main/java/org/apache/struts2/components/Anchor.java
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,9 @@ public void evaluateExtraParams() {
super.evaluateExtraParams();

if (href != null)
addParameter("href", findString(href));
addParameter("href", ensureAttributeSafelyNotEscaped(findString(href)));
}

@StrutsTagAttribute(description="The URL.")
public void setHref(String href) {
this.href = href;
Expand Down
14 changes: 14 additions & 0 deletions core/src/main/java/org/apache/struts2/components/UIBean.java
Original file line number Diff line number Diff line change
Expand Up @@ -837,6 +837,20 @@ protected String escape(String name) {
}
}

/**
* Ensures an unescaped attribute value cannot be vulnerable to XSS attacks
*
* @param val The value to check
* @return The escaped value
*/
protected String ensureAttributeSafelyNotEscaped(String val) {
if (val != null) {
return val.replaceAll("\"", """);
} else {
return "";
}
}

protected void evaluateExtraParams() {
}

Expand Down
15 changes: 15 additions & 0 deletions core/src/test/java/org/apache/struts2/views/jsp/ui/AnchorTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,21 @@ public void testSimple() throws Exception {
verify(AnchorTest.class.getResource("href-1.txt"));
}

public void testSimpleBadQuote() throws Exception {
TestAction testAction = (TestAction) action;
testAction.setFoo("bar");

AnchorTag tag = new AnchorTag();
tag.setPageContext(pageContext);

tag.setId("mylink");
tag.setHref("a\"");
tag.doStartTag();
tag.doEndTag();

verify(AnchorTest.class.getResource("href-2.txt"));
}

public void testDynamicAttribute() throws Exception {
TestAction testAction = (TestAction) action;
testAction.setFoo("bar");
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
<a
id="mylink"
href="a&#34;">
</a>

0 comments on commit dae026a

Please sign in to comment.