Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags

Who should read this	All Struts 2 developers
Impact of vulnerability	Injection of malicious client side code
Maximum security rating	Important
Recommendation	Developers using Struts 2 tags should immediately upgrade to Struts 2.2.1
Affected Software	Struts 2.0.0 - Struts 2.1.8.1
Original JIRA Tickets	WW-2414,WW-2427

For both the <s:url> and the <s:a> tag, it is possible to inject parameter values that do not get escaped properly when the tag's resulting URLs are constructed and rendered. The following scenarios are known:

• A parameter value included in the construction of a <s:a> result can inject an unescaped double quote, thus being able to inject code in the resulting HTML by escaping the rendered href attribute.
• Both the <s:url> and the <s:a> tag fail to escape <script> tags when includeParams is set to any other value than "none", which can be exploited by calling the containing JSP/action with GET parameters such as http://localhost/foo/bar.action?<script>alert(1)</script>test=hello

As of Struts 2.0.11.1

• Double quotes do get escaped for parameter values used to constuct the output of a <s:a> tag
• <script> tokens do get recursively escaped for parameter values used to contruct the output of and tags

Later findings revealed that 2.0.11.1 does not fix the issue properly.

Minimum required version fixing this particular issue: 2.2.1