fix(core): WW-5623 HTML-encode form action in PostbackResult to prevent XSS

[tranquac]

Summary

PostbackResult.doExecute() at line 107 embeds finalLocation into a form action attribute via raw string concatenation without HTML encoding. The response Content-Type is text/html (line 103). A double-quote character in the location breaks out of the attribute, enabling reflected XSS.

This is an encoding inconsistency: form field names and values at lines 218-219 ARE properly URL-encoded via URLEncoder.encode(), but the form action attribute was not encoded at all.

Changes

• PostbackResult.java: Add encodeHtml() method to escape &, ", <, > in finalLocation before embedding in the HTML form tag. Consistent with the existing encoding approach for form field values.

Impact

When a developer uses PostbackResult with an OGNL expression referencing a user-controllable property (a documented framework feature for dynamic routing), an attacker can inject arbitrary HTML attributes and elements via the form action attribute.

Test

A PoC application with 5 test scenarios verifies the vulnerability and fix. Browser-based testing with Playwright confirms the XSS alert fires before the fix.

[lukaszlenart]

Could you create a JIRA ticket first?

[tranquac]

I requested a Jira account!

And i will create create a JIRA ticket soon!

[tranquac]

hello @lukaszlenart

I created JIRA ticket for this issue: https://issues.apache.org/jira/projects/WW/issues/WW-5623?filter=allissues

[lukaszlenart]

Please add a focused unit test for this change in PostbackResultTest, covering a malicious finalLocation with characters like ", &, <, and > and asserting they are properly escaped in the rendered action attribute. The fix looks correct for WW-5623, but it should include regression coverage. Also, for consistency with the rest of Struts core, you may want to use StringEscapeUtils.escapeHtml4(...) instead of a custom encodeHtml() helper.

[tranquac]

Thanks for your feedback. I will quickly create a fullfill patch based on your comment. I will notify you when it's finished and create a new PR.

[tranquac]

Hi @lukaszlenart,

Thank you for the review feedback! I've pushed a follow-up commit addressing both points:

Changes in this update

1. Replaced custom encodeHtml() with StringEscapeUtils.escapeHtml4()

Removed the custom helper method and switched to org.apache.commons.text.StringEscapeUtils.escapeHtml4(), consistent with how the rest of Struts core handles HTML encoding (e.g., DefaultActionProxy, Property, TextProviderHelper).

2. Added 3 focused unit tests in PostbackResultTest

Test	What it covers
testFormActionHtmlEscaping	XSS payload with double-quote attribute breakout ("onmouseover="alert(1)"). Asserts escaped entities in rendered action attribute and verifies raw " cannot break out.
testFormActionEscapesAllHtmlSpecialChars	Covers all 4 critical HTML characters (", &, <, >) individually, asserting each is properly escaped to its HTML entity (&quot;, &amp;, &lt;, &gt;).
testFormActionCleanLocationUnchanged	Regression test — verifies that a clean URL without special characters renders unchanged in the action attribute.

All 7 tests pass (4 existing + 3 new):

Tests run: 7, Failures: 0, Errors: 0, Skipped: 0
BUILD SUCCESS

Please let me know if there's anything else you'd like me to adjust.