Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible XSS vulnerability
Maximum security rating
Do not expose parts of
Struts 2.0.0 - Struts Struts 188.8.131.52
Paolo Perliti paolo dot perliti at miliaris dot it - Miliaris
If you want present language selected by user based on
I18NInterceptor always escape the string before presenting it to the user. Alternatively upgrade to Struts 2.3.2728.
No issues expected when upgrading to Struts 2.3.2728.
When needed you can use StringEscapeUtils from the Apache Commons to escape the string.