|
If you were logged in you would be able to see more operations.
|
|
|
|
Environment:
|
winxp, jetty, postgres, IE
|
|
|
I use addError(...) to reflect messages to user - including user input
if user input is something like <script>alert('hi');</script> - JS is being executed.
old:
<c:out value="${msg}" escapeXml="false"/>
I suggest:
<c:out value="${msg}" escapeXml="true"/>
same goes with errors. -> ${error}
|
|
Description
|
I use addError(...) to reflect messages to user - including user input
if user input is something like <script>alert('hi');</script> - JS is being executed.
old:
<c:out value="${msg}" escapeXml="false"/>
I suggest:
<c:out value="${msg}" escapeXml="true"/>
same goes with errors. -> ${error} |
Show » |
Sort Order:
|
Improvement
Resolved
Minor
messages.jsp - cross site scripting
User information for <strong>{0}</strong> has been added successfully.
Oh well, XSS is more important I suppose.