| Key: |
APF-880
|
| Type: |
Improvement
|
| Status: |
Resolved
|
| Resolution: |
Fixed
|
| Priority: |
Minor
|
| Assignee: |
Matt Raible
|
| Reporter: |
|
| Votes: |
0
|
| Watchers: |
0
|
|
If you were logged in you would be able to see more operations.
|
|
|
|
Environment:
|
winxp, jetty, postgres, IE
|
|
|
I use addError(...) to reflect messages to user - including user input
if user input is something like <script>alert('hi');</script> - JS is being executed.
old:
<c:out value="${msg}" escapeXml="false"/>
I suggest:
<c:out value="${msg}" escapeXml="true"/>
same goes with errors. -> ${error}
|
|
Description
|
I use addError(...) to reflect messages to user - including user input
if user input is something like <script>alert('hi');</script> - JS is being executed.
old:
<c:out value="${msg}" escapeXml="false"/>
I suggest:
<c:out value="${msg}" escapeXml="true"/>
same goes with errors. -> ${error} |
Show » |
|
messages.jsp - cross site scripting
User information for <strong>{0}</strong> has been added successfully.
Oh well, XSS is more important I suppose.