3

As mentioned in http://www.disasterarea.co.uk/blog/xss-vulnerabilities-in-web-frameworks-2/

The ${} is not xss safe in struts 2 while it is safe in tapestry 5.

I am not a Tapestry guy, but I want to know if above is correct.

As far as I know the ${} is part of JSLT and it does not depend on any web frameworks. So if above sentence is correct and the ${} is XSS safe in tapestry, how can we make it safe in struts 2.

Updated:

To test it I run struts2-showcase app, opened modelDriven\modelDrivenResult.jsp and add below line:

Am I safe  ${name}

Now when you run the show case and enter <script> alert('xxxx') </script> as gangester name you can see the alert!

Andrea Ligios
  • 49,480
  • 26
  • 114
  • 243
Alireza Fattahi
  • 42,517
  • 14
  • 123
  • 173
  • 1
    Where did you find that *The ${} is not xss safe in struts 2*? – Aleksandr M Apr 29 '14 at 12:59
  • I have tested it! Two pages and one model driven action. First page populates the action with model second page shows some model properties with ${}. It is strust 2.3.16.2 with struts 2 jquery plugin 3.7.0 on apache-tomcat-7.0.42. Should I configure something?! – Alireza Fattahi Apr 29 '14 at 13:19
  • Please see my update, you can test it in struts show case – Alireza Fattahi Apr 29 '14 at 13:29

2 Answers2

12
  1. Struts2 <s:property value="name" /> is automatically escaped by default;
  2. JSTL <c:out value="${name}" /> is automatically escaped by default;
  3. JSP EL ${name} is NOT escaped.

You can explicitly escape it with ${fn:escapeXml(name)} , or set the escape to be performed by default creating a custom ELResolver as described in this great article:

Andrea Ligios
  • 49,480
  • 26
  • 114
  • 243
  • This is what I was looking for, escaping ALL ${}. Do you think there is a reason which this feature is not implemented in Struts 2 same as tapestry? – Alireza Fattahi Apr 29 '14 at 17:17
  • 2
    @AlirezaFattahi For the reason I gave you: Struts 2 uses JSP. JSP EL doesn't escape values rendered via `${}`. **Tapestry does not use JSP.** – Dave Newton Apr 30 '14 at 01:16
4

Short answer: make it safe either on entry into the app, or on the way to the view layer.

Tapestry's ${} is safe because it's not using JSP/JSP EL. Not escaping stuff is one of the things you lose by using JSP EL's ${} over things like <c:out> and so on.

Dave Newton
  • 158,873
  • 26
  • 254
  • 302