...
- A parameter value included in the construction of a <s:a> result can inject an unescaped double quote, thus being able to inject code in the resulting HTML by escaping the rendered
hrefattribute. - Both the <s:url> and the <s:a> tag fail to escape <script> tags when
includeParamsis set to any other value than "none", which can be exploited by calling the containing JSP/action with GET parameters such ashttp://localhost/foo/bar.action?
<script>alert(1)</script>test=hello
...