struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject svn commit: r983405 [1/2] - in /websites/production/struts/content: ./ docs/
Date Tue, 22 Mar 2016 08:06:48 GMT
Author: lukaszlenart
Date: Tue Mar 22 08:06:48 2016
New Revision: 983405

Log:
Updates production

Added:
    websites/production/struts/content/docs/version-notes-2328.html
Removed:
    websites/production/struts/content/docs/version-notes-2326.html
Modified:
    websites/production/struts/content/announce-2014.html
    websites/production/struts/content/announce-2015.html
    websites/production/struts/content/announce.html
    websites/production/struts/content/archetype-catalog.xml
    websites/production/struts/content/builds.html
    websites/production/struts/content/coding-standards.html
    websites/production/struts/content/docs/s2-028.html
    websites/production/struts/content/docs/s2-029.html
    websites/production/struts/content/docs/s2-030.html
    websites/production/struts/content/download.html
    websites/production/struts/content/downloads.html
    websites/production/struts/content/helping.html
    websites/production/struts/content/index.html
    websites/production/struts/content/kickstart.html
    websites/production/struts/content/primer.html
    websites/production/struts/content/releases.html
    websites/production/struts/content/security.html
    websites/production/struts/content/submitting-patches.html

Modified: websites/production/struts/content/announce-2014.html
==============================================================================
--- websites/production/struts/content/announce-2014.html (original)
+++ websites/production/struts/content/announce-2014.html Tue Mar 22 08:06:48 2016
@@ -145,24 +145,58 @@ Generated value of token can be predicta
 <ul>
   <li>merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3</li>
   <li>extended existing security mechanism to block access to given Java packages and Classes</li>
-  <li>collection Parameters for <code>RedirectResult</code></li>
-  <li>make <code>ParametersInterceptor</code> supports chinese in hash key by default</li>
-  <li><code>themes.properties</code> can be loaded using <code>ServletContext</code> allows to put template folder under WEB-INF or on classpath</li>
-  <li>new tag <code>datetextfield</code></li>
+  <li>collection Parameters for <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>RedirectResult<span class="w">
+</span></pre></td></tr></tbody></table>
+</code></li>
+  <li>make <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>ParametersInterceptor<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> supports chinese in hash key by default</li>
+  <li><code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>themes.properties<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> can be loaded using <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>ServletContext<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> allows to put template folder under WEB-INF or on classpath</li>
+  <li>new tag <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>datetextfield<span class="w">
+</span></pre></td></tr></tbody></table>
+</code></li>
   <li>only valid Ognl expressions are cached</li>
-  <li>custom <code>TextProvider</code> can be used for validation errors of model driven actions</li>
-  <li><code>datetimepicker</code>’s label fixed</li>
-  <li><code>PropertiesJudge</code> removed and properties are checked in <code>SecurityMemberAccess</code></li>
+  <li>custom <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>TextProvider<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> can be used for validation errors of model driven actions</li>
+  <li><code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>datetimepicker<span class="w">
+</span></pre></td></tr></tbody></table>
+</code>’s label fixed</li>
+  <li><code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>PropertiesJudge<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> removed and properties are checked in <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>SecurityMemberAccess<span class="w">
+</span></pre></td></tr></tbody></table>
+</code></li>
   <li>resource reloading works in IBM JVM</li>
   <li>default reloading settings were removed from default.properties</li>
-  <li><code>commons-fileupload</code> library upgraded to version 1.3.1 to fix potential security vulnerability</li>
-  <li>the scheme attribute accepts expressions in <code>s:url</code> tag</li>
-  <li>solves problem with infinite loop in <code>FastByteArrayOutputStream</code></li>
-  <li><code>LocalizedTextUtil</code> supports many ClassLoaders</li>
+  <li><code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>commons-fileupload<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> library upgraded to version 1.3.1 to fix potential security vulnerability</li>
+  <li>the scheme attribute accepts expressions in <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>s:url<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> tag</li>
+  <li>solves problem with infinite loop in <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>FastByteArrayOutputStream<span class="w">
+</span></pre></td></tr></tbody></table>
+</code></li>
+  <li><code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>LocalizedTextUtil<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> supports many ClassLoaders</li>
   <li>Bill of Materials pom was introduced</li>
-  <li><code>debug=browser|console</code> was migrated to jQuery</li>
-  <li><code>struts_dojo.js</code> was fixed</li>
-  <li>interface <code>org/apache/struts2/views/TagLibrary</code> was restored and marked as <code>@Depreacted</code></li>
+  <li><code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>debug=browser|console<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> was migrated to jQuery</li>
+  <li><code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>struts_dojo.js<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> was fixed</li>
+  <li>interface <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>org/apache/struts2/views/TagLibrary<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> was restored and marked as <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>@Depreacted<span class="w">
+</span></pre></td></tr></tbody></table>
+</code></li>
 </ul>
 
 <p>and many other small improvements, please careful read the <a href="http://struts.apache.org/docs/version-notes-2320.html">version notes</a>.</p>
@@ -228,24 +262,45 @@ the correction wasn’t sufficient.</
 <p>In your struts.xml, replace all custom references to params-interceptor with the following code, especially regarding the class-pattern
 found at the beginning of the excludeParams list:</p>
 
-<pre><code>&lt;interceptor-ref name="params"&gt;
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1
+2
+3</pre></td><td class="code"><pre>&lt;interceptor-ref name="params"&gt;
    &lt;param name="excludeParams"&gt;(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*&lt;/param&gt;
 &lt;/interceptor-ref&gt;
-</code></pre>
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <p>If you are using default interceptor stacks packaged in struts-default.xml, change your parent packages to a customized secured configuration
 as in the following example. Given you are using defaultStack so far, change your packages from</p>
 
-<pre><code>&lt;package name="default" namespace="/" extends="struts-default"&gt;
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1
+2
+3
+4
+5</pre></td><td class="code"><pre>&lt;package name="default" namespace="/" extends="struts-default"&gt;
     &lt;default-interceptor-ref name="defaultStack" /&gt;
     ...
     ...
 &lt;/package&gt;
-</code></pre>
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <p>to</p>
 
-<pre><code>&lt;package name="default" namespace="/" extends="struts-default"&gt;
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12</pre></td><td class="code"><pre>&lt;package name="default" namespace="/" extends="struts-default"&gt;
     &lt;interceptors&gt;
         &lt;interceptor-stack name="secureDefaultStack"&gt;
             &lt;interceptor-ref name="defaultStack"&gt;
@@ -257,7 +312,9 @@ as in the following example. Given you a
     &lt;default-interceptor-ref name="secureDefaultStack" /&gt;
     ...
 &lt;/package&gt; 
-</code></pre>
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <p>Please follow the Apache Struts Announcements to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours.
 Please prepare for upgrading all Struts 2 based production systems to the new release version once available.</p>
@@ -298,12 +355,18 @@ the commons-fileupload jar file in WEB-I
 Maven based Struts 2 projects, the following dependency needs to be
 added:</p>
 
-<pre><code>&lt;dependency&gt;
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1
+2
+3
+4
+5</pre></td><td class="code"><pre>&lt;dependency&gt;
   &lt;groupId&gt;commons-fileupload&lt;/groupId&gt;
   &lt;artifactId&gt;commons-fileupload&lt;/artifactId&gt;
   &lt;version&gt;1.3.1&lt;/version&gt;
 &lt;/dependency&gt;
-</code></pre>
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <p>More details can be found here:</p>
 

Modified: websites/production/struts/content/announce-2015.html
==============================================================================
--- websites/production/struts/content/announce-2015.html (original)
+++ websites/production/struts/content/announce-2015.html Tue Mar 22 08:06:48 2016
@@ -136,7 +136,7 @@ to maintaining applications over time.</
 
 <ul>
   <li>New security option was added - Strict Method Invocation (also known as Strict DMI), see WW-4540</li>
-  <li>Add support for latest stable AngularJS in Maven archetype, see WW-4522   </li>
+  <li>Add support for latest stable AngularJS in Maven archetype, see WW-4522</li>
 </ul>
 
 <p>and many other improvements, please check the version notes</p>
@@ -160,7 +160,9 @@ to maintaining applications over time.</
 
 <ul>
   <li><a href="/docs/s2-026.html">S2-026</a>
-Special <code>top</code> object can be used to access Struts’ internals</li>
+Special <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>top<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> object can be used to access Struts’ internals</li>
 </ul>
 
 <p><strong>All developers are strongly advised to perform this action.</strong></p>
@@ -178,7 +180,7 @@ please post your comments to the user li
 
 <p>Thanks to Taki Uchiyama from JPCERT/CC who reported two potential XSS vulnerabilities available 
 in older versions of The Apache Struts 2. Please read the mentioned security bulletin for more details
-and also reading our <a href="/docs/security.html">Security guideline</a> will help you secure your application </p>
+and also reading our <a href="/docs/security.html">Security guideline</a> will help you secure your application</p>
 
 <h4 id="a20150731">31 July 2015 - Struts 2.5-BETA1 (BETA)</h4>
 
@@ -229,16 +231,30 @@ to maintaining applications over time.</
 
 <ul>
   <li>security fix from 2.3.20.1 is included</li>
-  <li>fixed flow in <code>DefaultActionInvocation</code> and when using the Convention Plugin</li>
+  <li>fixed flow in <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>DefaultActionInvocation<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> and when using the Convention Plugin</li>
   <li>defined new plugin to support Java 8, check Java 8 Support Plugin</li>
-  <li>fixed problem with <code>style</code> attribute</li>
-  <li>fixed problem with converting values from <code>ActionContext</code></li>
+  <li>fixed problem with <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>style<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> attribute</li>
+  <li>fixed problem with converting values from <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>ActionContext<span class="w">
+</span></pre></td></tr></tbody></table>
+</code></li>
   <li>converters are again applied to values coming from the context</li>
-  <li><code>struts.ognl.allowStaticMethodAccess</code> works again</li>
+  <li><code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>struts.ognl.allowStaticMethodAccess<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> works again</li>
   <li>fixed memory leak in CDI plugin</li>
-  <li>fixed problem with hidden field which silently drops <code>label</code> attribute</li>
-  <li>fixed parameters encoding in <code>ServletRedirectAction</code> before checking for valid URI</li>
-  <li><code>css_xhtml</code> hidden input adding table row markup</li>
+  <li>fixed problem with hidden field which silently drops <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>label<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> attribute</li>
+  <li>fixed parameters encoding in <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>ServletRedirectAction<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> before checking for valid URI</li>
+  <li><code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>css_xhtml<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> hidden input adding table row markup</li>
   <li>FreeMarker was upgraded to the latest available version - 2.3.22</li>
   <li>support for Log4j2 was added</li>
 </ul>
@@ -266,7 +282,11 @@ to maintaining applications over time.</
 
 <ul>
   <li><a href="/docs/s2-024.html">S2-024</a>
-Wrong <code>excludeParams</code> overrides those defined in <code>DefaultExcludedPatternsChecker</code></li>
+Wrong <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>excludeParams<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> overrides those defined in <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>DefaultExcludedPatternsChecker<span class="w">
+</span></pre></td></tr></tbody></table>
+</code></li>
 </ul>
 
 <p><strong>All developers are strongly advised to perform this action.</strong></p>

Modified: websites/production/struts/content/announce.html
==============================================================================
--- websites/production/struts/content/announce.html (original)
+++ websites/production/struts/content/announce.html Tue Mar 22 08:06:48 2016
@@ -124,6 +124,57 @@
   Skip to: <a href="announce-2015.html">Announcements - 2015</a>
 </p>
 
+<h4 id="a20160318">18 March 2016 - Struts 2.3.28 General Availability with Security Fix Release</h4>
+
+<p>The Apache Struts group is pleased to announce that Struts 2.3.28 is available as a “General Availability”
+release. The GA designation is our highest quality grade.</p>
+
+<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
+The framework is designed to streamline the full development cycle, from building, to deploying,
+to maintaining applications over time.</p>
+
+<p>This release addresses three potential security vulnerabilities:</p>
+
+<ul>
+  <li>
+    <p><a href="/docs/s2-028.html">S2-028</a>
+Possible XSS vulnerability in pages not using UTF-8 was fixed.</p>
+  </li>
+  <li>
+    <p><a href="/docs/s2-029.html">S2-029</a>
+Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</p>
+  </li>
+  <li>
+    <p><a href="/docs/s2-030.html">S2-030</a>
+I18NInterceptor narrows selected locale to those available in JVM to reduce possibility of another XSS vulnerability.</p>
+  </li>
+</ul>
+
+<p><strong>All developers are strongly advised to perform this action.</strong></p>
+
+<p>This release contains several breaking changes and improvements just to mention few of them:</p>
+
+<ul>
+  <li>New Configurationprovider type was introduced - ServletContextAwareConfigurationProvider, see WW-4410</li>
+  <li>Setting status code in HttpHeaders isn’t ignored anymore, see WW-4545</li>
+  <li>Spring BeanPostProcessor(s) are called only once to constructed objects., see WW-4554</li>
+  <li>OGNL was upgraded to version 3.0.13, see WW-4562</li>
+  <li>Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568</li>
+  <li>A dedicated assembly with minimal set of jars was defined, see WW-4570</li>
+  <li>Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585</li>
+  <li>Improved the Struts2 Rest plugin to honor Accept header, see WW-4588</li>
+  <li>MessageStoreInterceptor was refactored to use PreResultListener to store messages, see WW-4605</li>
+  <li>A new annotation was added to support configuring Tiles - @TilesDefinition, see WW-4606</li>
+</ul>
+
+<p>and many other improvements, please check the version notes</p>
+
+<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 6.</p>
+
+<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
+to the user list, and, if appropriate, file a tracking ticket.</p>
+
 <h4 id="a20160126">26 January 2016 - Struts 2.5-BETA3 (BETA)</h4>
 
 <p>The Apache Struts group is pleased to announce that Struts 2.5-BETA3 is available as a “BETA” release.</p>

Modified: websites/production/struts/content/archetype-catalog.xml
==============================================================================
Binary files - no diff available.

Modified: websites/production/struts/content/builds.html
==============================================================================
--- websites/production/struts/content/builds.html (original)
+++ websites/production/struts/content/builds.html Tue Mar 22 08:06:48 2016
@@ -135,13 +135,17 @@ your own copy of the product, use the so
 
 <p>With the <a href="http://git-scm.com/">Git client</a> installed, obtaining a working copy of the Struts codebase is as simple as</p>
 
-<pre><code>&gt; git clone http://git.apache.org/struts.git
-</code></pre>
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>&gt; git clone http://git.apache.org/struts.git
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <p>(Committers with write access should use the <strong>https</strong> protocol instead)</p>
 
-<pre><code>&gt; git clone https://git-wip-us.apache.org/repos/asf/struts.git
-</code></pre>
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>&gt; git clone https://git-wip-us.apache.org/repos/asf/struts.git
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <p>For more about using version control systems at Apache, see the ASF’s
 <a href="http://www.apache.org/dev/#version-control">Source Code Repositories</a> page.</p>
@@ -155,13 +159,17 @@ your own applications!)</p>
 
 <p>With Maven installed, building a Struts codebase is as simple as</p>
 
-<pre><code>&gt; mvn install
-</code></pre>
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>&gt; mvn install
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <p>or</p>
 
-<pre><code>&gt; mvn -DskipAssembly=true install
-</code></pre>
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>&gt; mvn -DskipAssembly=true install
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <p>Maven will automatically download any dependencies as needed.</p>
 
@@ -203,14 +211,22 @@ of the distribution may be upgraded to �
 and then made available through ibiblio and other public Maven repositories. To obtain an early distribution via Maven,
 specify the ASF Snapshot repository in the project’s POM.</p>
 
-<pre><code>&lt;repositories&gt;
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1
+2
+3
+4
+5
+6
+7</pre></td><td class="code"><pre>&lt;repositories&gt;
     &lt;repository&gt;
         &lt;id&gt;apache.snapshots&lt;/id&gt;
         &lt;name&gt;ASF Maven 2 Snapshot&lt;/name&gt;
         &lt;url&gt;https://repository.apache.org/content/groups/snapshots/&lt;/url&gt;
     &lt;/repository&gt;
 &lt;/repositories&gt;
-</code></pre>
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <h1 id="licensing-of-apache-struts-builds">Licensing of Apache Struts Builds</h1>
 

Modified: websites/production/struts/content/coding-standards.html
==============================================================================
--- websites/production/struts/content/coding-standards.html (original)
+++ websites/production/struts/content/coding-standards.html Tue Mar 22 08:06:48 2016
@@ -152,7 +152,14 @@ or improving.</p>
 
 <p>The original source code:</p>
 
-<pre><code>// Hidden input section
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1
+2
+3
+4
+5
+6
+7
+8</pre></td><td class="code"><pre>// Hidden input section
 a = new Attributes();
 a.add("type", "hidden")
     .add("id", "__multiselect_" + StringUtils.defaultString(StringEscapeUtils.escapeHtml4(id)))
@@ -160,11 +167,28 @@ a.add("type", "hidden")
     .add("value", "").addIfTrue("disabled", disabled);
 start("input", a);
 end("input");
-</code></pre>
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <p>After applying default reformatting (80 columns margin):</p>
 
-<pre><code>// Hidden input section
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+14
+15
+16</pre></td><td class="code"><pre>// Hidden input section
 a = new Attributes();
 a.add("type", "hidden")
     .add("id",
@@ -180,7 +204,9 @@ a.add("type", "hidden")
     .add("value", "").addIfTrue("disabled", disabled);
 start("input", a);
 end("input");
-</code></pre>
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <p>Some suggestions how to improve the code:</p>
 
@@ -188,23 +214,32 @@ end("input");
   <li>
     <p>use static imports</p>
 
-    <pre><code>  a.add("type", "hidden")
+    <div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1
+2</pre></td><td class="code"><pre>  a.add("type", "hidden")
    .add("id", "__multiselect_" + defaultString(escapeHtml4(id)));
-</code></pre>
+</pre></td></tr></tbody></table>
+</div>
+    </div>
   </li>
   <li>
     <p>use dedicated method</p>
 
-    <pre><code>  a.add("type", "hidden")
+    <div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1
+2</pre></td><td class="code"><pre>  a.add("type", "hidden")
    .add("id", "__multiselect_" + safeId(id));
-</code></pre>
+</pre></td></tr></tbody></table>
+</div>
+    </div>
   </li>
   <li>
     <p>use builder</p>
 
-    <pre><code>  a.add("type", "hidden")
+    <div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1
+2</pre></td><td class="code"><pre>  a.add("type", "hidden")
    .add("id", HtmlID.with("__multiselect_").withSafeId(id).create());
-</code></pre>
+</pre></td></tr></tbody></table>
+</div>
+    </div>
   </li>
 </ul>
 

Modified: websites/production/struts/content/docs/s2-028.html
==============================================================================
--- websites/production/struts/content/docs/s2-028.html (original)
+++ websites/production/struts/content/docs/s2-028.html Tue Mar 22 08:06:48 2016
@@ -125,7 +125,7 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-028-Summary">Summary</h2>Use of a JRE with broken URLDecoder implementation may lead to XSS vulnerability in Struts 2 based web applications.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Affects of a cross-site scripting vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade runtime JRE to a recent major version, preferably 1.8. 
 Alternatively upgrade to <a shape="rect" href="version-notes-2326.html">Struts 2.3.26</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>WhiteHat Security (<a shape="rect" class="external-link" href="http://whitehatsec.com" rel="nofollow">whitehatsec.com</a>)</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">-</span></p></td></tr></tbody></table></div><h2 id="S2-028-Problem">Problem</h2><p>When using a single byte page encoding such as ISO-8895-1, an attacker might submit a non-spec URL-encoded parameter value including multi-byte characters.
 </p><p>Struts 2 used the standard JRE URLDecoder to decode parameter values.&#160;<span>Especially JRE 1.5's URLDecoder implementation seems to be broken to the point that this non-spec encoding isn't rejected / filtered. In later JREs the issue was fixed, best known solution is found in JRE 1.8.</span></p><h2 id="S2-028-Solution">Solution</h2><p>Upgrade runtime JRE/JDK, preferably to the most recent 1.8 version.</p><p>Alternatively&#160;<span style="line-height: 1.42857;">upgrade to Struts 2.3.26, which includes and uses a safe URLDecoder implementation from Apache Tomcat</span></p><h2 id="S2-028-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.26</p><h2 id="S2-028-Workaround">Workaround</h2><p>Use UTF-8 for page and parameter encoding.</p><h2 id="S2-028-FurtherReference">Further Reference</h2><p><style>
+            <div id="ConfluenceContent"><h2 id="S2-028-Summary">Summary</h2>Use of a JRE with broken URLDecoder implementation may lead to XSS vulnerability in Struts 2 based web applications.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Affects of a cross-site scripting vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade runtime JRE to a recent major version, preferably 1.8. 
 Alternatively upgrade to <a shape="rect" href="version-notes-2328.html">Struts 2.3.28</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>WhiteHat Security (<a shape="rect" class="external-link" href="http://whitehatsec.com" rel="nofollow">whitehatsec.com</a>)</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">-</span></p></td></tr></tbody></table></div><h2 id="S2-028-Problem">Problem</h2><p>When using a single byte page encoding such as ISO-8895-1, an attacker might submit a non-spec URL-encoded parameter value including multi-byte characters.
 </p><p>Struts 2 used the standard JRE URLDecoder to decode parameter values.&#160;<span>Especially JRE 1.5's URLDecoder implementation seems to be broken to the point that this non-spec encoding isn't rejected / filtered. In later JREs the issue was fixed, best known solution is found in JRE 1.8.</span></p><h2 id="S2-028-Solution">Solution</h2><p>Upgrade runtime JRE/JDK, preferably to the most recent 1.8 version.</p><p>Alternatively&#160;<span style="line-height: 1.42857;">upgrade to Struts 2.3.28, which includes and uses a safe URLDecoder implementation from Apache Tomcat</span></p><h2 id="S2-028-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.28</p><h2 id="S2-028-Workaround">Workaround</h2><p>Use UTF-8 for page and parameter encoding.</p><h2 id="S2-028-FurtherReference">Further Reference</h2><p><style>
     .jira-issue {
         padding: 0 0 0 2px;
         line-height: 20px;

Modified: websites/production/struts/content/docs/s2-029.html
==============================================================================
--- websites/production/struts/content/docs/s2-029.html (original)
+++ websites/production/struts/content/docs/s2-029.html Tue Mar 22 08:06:48 2016
@@ -34,6 +34,19 @@ under the License.
             color:                 #666;
         }
     </style>
+    <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+    <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+    <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+    <script type="text/javascript">
+        SyntaxHighlighter.defaults['toolbar'] = false;
+        SyntaxHighlighter.all();
+    </script>
     <script type="text/javascript" language="javascript">
         var hide = null;
         var show = null;
@@ -125,7 +138,22 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-029-Summary">Summary</h2>Double OGNL evaluation when using raw user input in tag's attributes.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Always validate incoming parameters' values when re-assigning them to certain Struts' tags attributes. Alternative
 ly upgrade to <a shape="rect" href="version-notes-2326.html">Struts 2.3.26</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity dot com - <a shape="rect" class="external-link" href="http://www.coverity.com/" rel="nofollow">Coverity</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2 id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a
  value that will be evaluated again when a tag's attributes will be rendered.</p><h2 id="S2-029-Solution">Solution</h2><p>Adding a proper validation of each value that's coming in and it's used in tag's attributes.&#160;Alternatively&#160;<span style="line-height: 1.42857;">upgrade to Struts 2.3.26.</span></p><h2 id="S2-029-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.26</p><h2 id="S2-029-Workaround">Workaround</h2><p>Not possible</p></div>
+            <div id="ConfluenceContent"><h2 id="S2-029-Summary">Summary</h2>Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Always validate incoming parameters' values when re-assigning them
  to certain Struts' tags attributes.</p><p>Don't use %{...} syntax in tag attributes other than <em>value</em> unless you have a valid use-case.</p><p>Alternatively upgrade to <a shape="rect" href="version-notes-2328.html">Struts 2.3.28</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporters</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity dot com - Coverity</p><p>Lupin lupin1314 at gmail dot com<a shape="rect" class="external-link" href="http://www.coverity.com/" rel="nofollow">&#160;</a>-&#160;jd.com security team</p><p>nike.zheng at dbappsecurity dot com dot cn - dbappsecurity team</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan
 ="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2 id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered.</p><h2 id="S2-029-Solution">Solution</h2><p>Adding a proper validation of each value that's coming in and it's used in tag's attributes.</p><p>Don't use forced evaluation of an attribute other than <em>value</em>&#160;using %{...} syntax unless really needed for a valid use-case.&#160;</p><p>By&#160;<span style="line-height: 1.42857;">upgrading to Struts 2.3.28, possible malicious effects of forced double evaluation are limited.</span></p><h2 id="S2-029-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.28</p><h2 id="S2-029-Workaround">Workaroun
 d</h2><p>If you are using Struts 2.3.20, 2.3.24 or 2.3.24.1 you can redefine <code>struts.excludedClasses</code>&#160;as showed below, for more details please read&#160;<a shape="rect" href="security.html">internal security</a> page.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">    &lt;constant name="struts.excludedClasses"
+              value="
+                java.lang.Object,
+                java.lang.Runtime,
+                java.lang.System,
+                java.lang.Class,
+                java.lang.ClassLoader,
+                java.lang.Shutdown,
+                java.lang.ProcessBuilder,
+                ognl.OgnlContext,
+                ognl.ClassResolver,
+                ognl.TypeConverter,
+                com.opensymphony.xwork2.ognl.SecurityMemberAccess,
+                com.opensymphony.xwork2.ActionContext" /&gt;</pre>
+</div></div></div>
         </div>
 
         

Modified: websites/production/struts/content/docs/s2-030.html
==============================================================================
--- websites/production/struts/content/docs/s2-030.html (original)
+++ websites/production/struts/content/docs/s2-030.html Tue Mar 22 08:06:48 2016
@@ -125,7 +125,7 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-030-Summary">Summary</h2>Possible XSS vulnerability in <code>I18NInterceptor</code><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible XSS vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Do not expose parts of <code>Locale</code> object constructed by <code>I18NInterceptor</code> as it may contain user specific string which may leads 
 to XSS vulnerability. Alternatively upgrade to&#160;<a shape="rect" href="version-notes-2326.html">Struts 2.3.26</a>.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Paolo Perliti paolo dot perliti at miliaris dot it - <a shape="rect" class="external-link" href="http://www.miliaris.it/" rel="nofollow">M<span>iliaris</span></a><span>&#160;</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-2162</p></td></tr></tbody></table></div><h2 id="S2-030-Problem">Problem</h2><p>The Apache Struts framework uses <code>I18NInterceptor</code> to allow users and developers switch 
 language used in the framework and an application built on top of it. The problem is that the interceptor doesn't perform any validation of the user input and accept arbitrary string which can be used by a developer to display language selected by the user. However, the framework doesn't expose the value directly in UI.</p><h2 id="S2-030-Solution">Solution</h2><p>If you want present language selected by user based on <code>I18NInterceptor</code> always escape the string before presenting it to the user.&#160;Alternatively&#160;<span style="line-height: 1.42857;">upgrade to Struts 2.3.26.</span></p><h2 id="S2-030-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.26</p><h2 id="S2-030-Workaround">Workaround</h2><p>When needed you can use <a shape="rect" class="external-link" href="https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html">StringEscapeUtils</a> from the Apache Common
 s to escape the string.</p></div>
+            <div id="ConfluenceContent"><h2 id="S2-030-Summary">Summary</h2>Possible XSS vulnerability in <code>I18NInterceptor</code><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible XSS vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Do not expose parts of <code>Locale</code> object constructed by <code>I18NInterceptor</code> as it may contain user specific string which may leads 
 to XSS vulnerability. Alternatively upgrade to&#160;<a shape="rect" href="version-notes-2328.html">Struts 2.3.28</a>.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Paolo Perliti paolo dot perliti at miliaris dot it - <a shape="rect" class="external-link" href="http://www.miliaris.it/" rel="nofollow">M<span>iliaris</span></a><span>&#160;</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-2162</p></td></tr></tbody></table></div><h2 id="S2-030-Problem">Problem</h2><p>The Apache Struts framework uses <code>I18NInterceptor</code> to allow users and developers switch 
 language used in the framework and an application built on top of it. The problem is that the interceptor doesn't perform any validation of the user input and accept arbitrary string which can be used by a developer to display language selected by the user. However, the framework doesn't expose the value directly in UI.</p><h2 id="S2-030-Solution">Solution</h2><p>If you want present language selected by user based on <code>I18NInterceptor</code> always escape the string before presenting it to the user.&#160;Alternatively&#160;<span style="line-height: 1.42857;">upgrade to Struts 2.3.28.</span></p><h2 id="S2-030-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.28.</p><h2 id="S2-030-Workaround">Workaround</h2><p>When needed you can use <a shape="rect" class="external-link" href="https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html">StringEscapeUtils</a> from the Apache Commo
 ns to escape the string.</p></div>
         </div>
 
         

Added: websites/production/struts/content/docs/version-notes-2328.html
==============================================================================
--- websites/production/struts/content/docs/version-notes-2328.html (added)
+++ websites/production/struts/content/docs/version-notes-2328.html Tue Mar 22 08:06:48 2016
@@ -0,0 +1,168 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+    <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+    <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+    <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+    <script type="text/javascript">
+        SyntaxHighlighter.defaults['toolbar'] = false;
+        SyntaxHighlighter.all();
+    </script>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>Version Notes 2.3.28</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a href="guides.html">Guides</a>&nbsp;&gt;&nbsp;<a href="migration-guide.html">Migration Guide</a>&nbsp;&gt;&nbsp;<a href="version-notes-2328.html">Version Notes 2.3.28</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="https://www.google.com/search" method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">Version Notes 2.3.28</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687305">
+                <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687305">Edit Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+                <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687305">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687305">Add Page</a>
+            &nbsp;
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687305">
+                <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+                     height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+            <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687305">Add News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> These are the notes for the Struts 2.3.28 distribution.</p><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> For prior notes in this release series, see <a shape="rect" href="version-notes-2320.html">Version Notes 2.3.20</a></p><ul><li>If you are a Maven user, you might want to get started using the <a shape="rect" href="struts-2-maven-archetypes.html">Maven Archetype</a>.</li><li>Another quick-start entry point is the <strong>blank</strong> application. Rename and deploy the WAR as a starting point for your own development.</li><li>There is huge number of examples you can als
 o use as a starting point for you application&#160;<a shape="rect" class="external-link" href="https://github.com/apache/struts-examples" rel="nofollow">here</a></li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Maven Dependency</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;dependency&gt;
+  &lt;groupId&gt;org.apache.struts&lt;/groupId&gt;
+  &lt;artifactId&gt;struts2-core&lt;/artifactId&gt;
+  &lt;version&gt;2.3.28&lt;/version&gt;
+&lt;/dependency&gt;
+</pre>
+</div></div><p>You can also use Struts Archetype Catalog like below</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Struts Archetype Catalog</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: text; gutter: false; theme: Default" style="font-size:12px;">mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/</pre>
+</div></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Staging Repository</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;repositories&gt;
+  &lt;repository&gt;
+    &lt;id&gt;apache.nexus&lt;/id&gt;
+    &lt;name&gt;ASF Nexus Staging&lt;/name&gt;
+    &lt;url&gt;https://repository.apache.org/content/groups/staging/&lt;/url&gt;
+  &lt;/repository&gt;
+&lt;/repositories&gt;</pre>
+</div></div><h2 id="VersionNotes2.3.28-InternalChanges">Internal Changes</h2><ul><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png" data-emoticon-name="warning" alt="(warning)">&#160;Possible XSS vulnerability in pages not using UTF-8 was fixed, read more details in&#160;<a shape="rect" href="s2-028.html">S2-028</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png" data-emoticon-name="warning" alt="(warning)">&#160;Prevents possible RCE when reusing user input in tag's attributes, see more details in&#160;<a shape="rect" href="s2-029.html">S2-029</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png"
  data-emoticon-name="warning" alt="(warning)">&#160;<code>I18NInterceptor</code> narrows selected locale to those available in JVM to reduce possibility of another XSS vulnerability, see more details in&#160;<a shape="rect" href="s2-030.html">S2-030</a></li><li>New&#160;<code>Configurationprovider</code> type was introduced -&#160;<a shape="rect" href="configuration-provider-configuration.html">ServletContextAwareConfigurationProvider</a>, see&#160;<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4410">WW-4410</a></li><li>Setting status code in <code>HttpHeaders</code>&#160;isn't ignored anymore, see&#160;<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4545">WW-4545</a></li><li>Spring <code>BeanPostProcessor(s)</code>&#160;are called only once to constructed objects., see&#160;<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4554">WW-4554</a></li><li>OGNL was upgraded to vers
 ion 3.0.13, see&#160;<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4562">WW-4562</a></li><li>Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see&#160;<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4568">WW-4568</a></li><li>A dedicated assembly with minimal set of jars was defined, see&#160;<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4570">WW-4570</a></li><li>Struts2 Rest plugin properly handles JSESSIONID with DMI, see&#160;<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4585">WW-4585</a></li><li>Improved the Struts2 Rest plugin to honor Accept header, see&#160;<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4588">WW-4588</a></li><li><code>MessageStoreInterceptor</code> was refactored to use&#160;<code>PreResultListener</code>&#160;to store messages, see&#160;<a shape="rect" cl
 ass="external-link" href="https://issues.apache.org/jira/browse/WW-4605">WW-4605</a></li><li>A new annotation was added to support configuring Tiles - <code>@TilesDefinition</code>, see&#160;<a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4606">WW-4606</a></li><li>and many other small improvements, please see the release notes</li></ul><p>&#160;</p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This release contains fix related to <a shape="rect" href="s2-028.html">S2-028</a>, <a shape="rect" href="s2-029.html">S2-029</a> and <a shape="rect" href="s2-030.html">S2-030</a> security bulletins, please read it carefully!</p></div></div><h3 id="VersionNotes2.3.28-IssueDetail">Issue Detail</h3><ul><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/se
 cure/ReleaseNote.jspa?version=12333842&amp;projectId=12311041">JIRA Release Notes 2.3.28</a></li></ul><h3 id="VersionNotes2.3.28-IssueList">Issue List</h3><ul><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12326872">Struts 2.3.20 DONE</a></li><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12318399">Struts 2.3.x TODO</a></li></ul><h3 id="VersionNotes2.3.28-Otherresources">Other resources</h3><ul><li><a shape="rect" class="external-link" href="http://www.mail-archive.com/commits%40struts.apache.org/" rel="nofollow">Commit Logs</a></li><li><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=struts.git;a=tree;h=refs/heads/develop;hb=develop">Source Code Repository</a></li></ul><div><span style="font-size: 24.0px;line-height: 30.0px;"><br clear="none"></span></div><div><span style="font-size: 24.0px;line-height: 30.0px;background-color: rgb(245,245,245);"><br cl
 ear="none"></span></div></div>
+        </div>
+
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>

Modified: websites/production/struts/content/download.html
==============================================================================
--- websites/production/struts/content/download.html (original)
+++ websites/production/struts/content/download.html Tue Mar 22 08:06:48 2016
@@ -177,27 +177,27 @@
 <h1>Full Releases</h1>
 <a name="struts-ga"></a>
 
-<a name="struts23241"></a>
-<h2>Struts 2.3.24.1</h2>
+<a name="struts2328"></a>
+<h2>Struts 2.3.28</h2>
 
 <p>
-  <a href="http://struts.apache.org/">Apache Struts 2.3.24.1</a> is an elegant, extensible
+  <a href="http://struts.apache.org/">Apache Struts 2.3.28</a> is an elegant, extensible
   framework for creating enterprise-ready Java web applications. It is available in a full distribution,
   or as separate library, source, example and documentation distributions.
-  Struts 2.3.24.1 is the "best available" version of Struts in the 2.3 series.
+  Struts 2.3.28 is the "best available" version of Struts in the 2.3 series.
 </p>
 
 <ul>
   <li>
-    <a href="http://struts.apache.org/docs/version-notes-23241.html">Version Notes</a>
+    <a href="http://struts.apache.org/docs/version-notes-2328.html">Version Notes</a>
   </li>
 
   <li>Full Distribution:
     <ul>
       <li>
-        <a href="[preferred]/struts/2.3.24.1/struts-2.3.24.1-all.zip">struts-2.3.24.1-all.zip</a> (65MB)
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.3.24.1-all.zip.asc">PGP</a>]
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.3.24.1-all.zip.md5">MD5</a>]
+        <a href="[preferred]/struts/2.3.28/struts-2.3.28-all.zip">struts-2.3.28-all.zip</a> (65MB)
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.3.28-all.zip.asc">PGP</a>]
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.3.28-all.zip.md5">MD5</a>]
       </li>
     </ul>
   </li>
@@ -205,18 +205,18 @@
   <li>Example Applications:
     <ul>
       <li>
-        <a href="[preferred]/struts/2.3.24.1/struts-2.3.24.1-apps.zip">struts-2.3.24.1-apps.zip</a> (35MB)
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.3.24.1-apps.zip.asc">PGP</a>]
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.3.24.1-apps.zip.md5">MD5</a>]
+        <a href="[preferred]/struts/2.3.28/struts-2.3.28-apps.zip">struts-2.3.28-apps.zip</a> (35MB)
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.3.28-apps.zip.asc">PGP</a>]
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.3.28-apps.zip.md5">MD5</a>]
       </li>
     </ul>
   </li>
   <li>Essential Dependencies Only:
     <ul>
       <li>
-        <a href="[preferred]/struts/2.3.24.1/struts-2.3.24.1-lib.zip">struts-2.3.24.1-lib.zip</a> (19MB)
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.3.24.1-lib.zip.asc">PGP</a>]
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.3.24.1-lib.zip.md5">MD5</a>]
+        <a href="[preferred]/struts/2.3.28/struts-2.3.28-lib.zip">struts-2.3.28-lib.zip</a> (19MB)
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.3.28-lib.zip.asc">PGP</a>]
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.3.28-lib.zip.md5">MD5</a>]
       </li>
     </ul>
   </li>
@@ -224,18 +224,18 @@
   <li>Documentation:
     <ul>
       <li>
-        <a href="[preferred]/struts/2.3.24.1/struts-2.3.24.1-docs.zip">struts-2.3.24.1-docs.zip</a> (13MB)
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.3.24.1-docs.zip.asc">PGP</a>]
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.3.24.1-docs.zip.md5">MD5</a>]
+        <a href="[preferred]/struts/2.3.28/struts-2.3.28-docs.zip">struts-2.3.28-docs.zip</a> (13MB)
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.3.28-docs.zip.asc">PGP</a>]
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.3.28-docs.zip.md5">MD5</a>]
       </li>
     </ul>
   </li>
   <li>Source:
     <ul>
       <li>
-        <a href="[preferred]/struts/2.3.24.1/struts-2.3.24.1-src.zip">struts-2.3.24.1-src.zip</a> (7MB)
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.3.24.1-src.zip.asc">PGP</a>]
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.3.24.1-src.zip.md5">MD5</a>]
+        <a href="[preferred]/struts/2.3.28/struts-2.3.28-src.zip">struts-2.3.28-src.zip</a> (7MB)
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.3.28-src.zip.asc">PGP</a>]
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.3.28-src.zip.md5">MD5</a>]
       </li>
     </ul>
   </li>
@@ -262,8 +262,8 @@
     <ul>
       <li>
         <a href="[preferred]/struts/2.5-BETA3/struts-2.5-BETA3-all.zip">struts-2.5-BETA3-all.zip</a> (65MB)
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.5-BETA3-all.zip.asc">PGP</a>]
-        [<a href="http://www.apache.org/dist/struts/2.3.24.1/struts-2.5-BETA3-all.zip.md5">MD5</a>]
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.5-BETA3-all.zip.asc">PGP</a>]
+        [<a href="http://www.apache.org/dist/struts/2.3.28/struts-2.5-BETA3-all.zip.md5">MD5</a>]
       </li>
     </ul>
   </li>

Modified: websites/production/struts/content/downloads.html
==============================================================================
--- websites/production/struts/content/downloads.html (original)
+++ websites/production/struts/content/downloads.html Tue Mar 22 08:06:48 2016
@@ -137,7 +137,7 @@
     <ul>
       <li>
         <a href="http://struts.apache.org/download.cgi#struts-ga">
-          Struts 2.3.24.1
+          Struts 2.3.28
         </a> ("best available")
       </li>
     </ul>

Modified: websites/production/struts/content/helping.html
==============================================================================
--- websites/production/struts/content/helping.html (original)
+++ websites/production/struts/content/helping.html Tue Mar 22 08:06:48 2016
@@ -171,8 +171,10 @@
   or documentation from the main repository. You can then change your copy, and create the patch using a simple
   <a href="http://git-scm.com/">Git</a> command, like this:</p>
 
-<pre><code>    git diff Main.java &gt;&gt; patchfile.txt
-</code></pre>
+<div class="highlighter-rouge"><div class="highlight"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>    git diff Main.java &gt;&gt; patchfile.txt
+</pre></td></tr></tbody></table>
+</div>
+</div>
 
 <p>Then, create a <a href="#issues">JIRA issue</a>about the change, and attach the patch file.</p>
 

Modified: websites/production/struts/content/index.html
==============================================================================
--- websites/production/struts/content/index.html (original)
+++ websites/production/struts/content/index.html Tue Mar 22 08:06:48 2016
@@ -125,7 +125,7 @@
       extensible using a plugin architecture, and ships with plugins to support
       REST, AJAX and JSON.
     </p>
-    <a href="/download.cgi#struts23241" class="btn btn-primary btn-large">
+    <a href="/download.cgi#struts2328" class="btn btn-primary btn-large">
       <img src="img/download-icon.svg"> Download
     </a>
     <a href="primer.html" class="btn btn-info btn-large">
@@ -137,12 +137,12 @@
   <div class="col-md-12">
     <div class="row">
       <div class="column col-md-4">
-        <h2>Struts 2.3.24.1 GA</h2>
+        <h2>Struts 2.3.28 GA</h2>
         <p>
-          Apache Struts 2.3.24.1 GA has been released<br/>on 24 september 2015.
+          Apache Struts 2.3.28 GA has been released<br/>on 18 march 2016.
         </p>
-        Read more in <a href="announce.html#a20150924">Announcement</a> or in
-        <a href="/docs/version-notes-23241.html">Version notes</a>
+        Read more in <a href="announce.html#a20160318">Announcement</a> or in
+        <a href="/docs/version-notes-2328.html">Version notes</a>
       </div>
       <div class="column col-md-4">
         <h2>Google's Patch Reward program</h2>
@@ -163,15 +163,25 @@
     </div>
     <div class="row">
       <div class="column col-md-4">
+        <h2>Security Bulletin S2-028</h2>
+        <p>
+          A new security bulletin was published, please carefully read the
+          <a href="/docs/s2-028.html">Announcement</a>
+        </p>
       </div>
       <div class="column col-md-4">
-        <h2>Security Bulletin S2-026</h2>
+        <h2>Security Bulletin S2-029</h2>
         <p>
           A new security bulletin was published, please carefully read the
-          <a href="/docs/s2-026.html">Announcement</a>
+          <a href="/docs/s2-029.html">Announcement</a>
         </p>
       </div>
       <div class="column col-md-4">
+        <h2>Security Bulletin S2-030</h2>
+        <p>
+          A new security bulletin was published, please carefully read the
+          <a href="/docs/s2-030.html">Announcement</a>
+        </p>
       </div>
     </div>
   </div>

Modified: websites/production/struts/content/kickstart.html
==============================================================================
--- websites/production/struts/content/kickstart.html (original)
+++ websites/production/struts/content/kickstart.html Tue Mar 22 08:06:48 2016
@@ -312,7 +312,9 @@
 </ul>
 
 <p>Not a usenet group, but the Apache Struts User list can be accessed with your favorite newsgroup reader from
-  the <a href="http://news.gmane.org/">GMane News Site</a>. Subscribe to groups <code>gmane.comp.jakarta.struts.user</code>
+  the <a href="http://news.gmane.org/">GMane News Site</a>. Subscribe to groups <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>gmane.comp.jakarta.struts.user<span class="w">
+</span></pre></td></tr></tbody></table>
+</code>
   for the user list.</p>
 
 <ul>

Modified: websites/production/struts/content/primer.html
==============================================================================
--- websites/production/struts/content/primer.html (original)
+++ websites/production/struts/content/primer.html Tue Mar 22 08:06:48 2016
@@ -309,7 +309,9 @@ several requests to be somewhat difficul
 
 <p>To alleviate this difficulty, the servlet API provides a programmatic
 concept called a <em>session</em>, represented as an object that
-implements the <code>javax.servlet.http.HttpSession</code>
+implements the <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>javax.servlet.http.HttpSession<span class="w">
+</span></pre></td></tr></tbody></table>
+</code>
 interface. The servlet container will use one of two techniques
 (cookies or URL rewriting) to ensure that the next request from the
 same user will include the <em>session id</em>

Modified: websites/production/struts/content/releases.html
==============================================================================
--- websites/production/struts/content/releases.html (original)
+++ websites/production/struts/content/releases.html Tue Mar 22 08:06:48 2016
@@ -199,17 +199,29 @@ control alerts. Trimming trailing spaces
   <li>Specify imported classes (do not use <em>.*</em>).</li>
   <li>Write all if/else statements as full blocks with each clause within braces, unless the entire statement fits
 on the same line.</li>
-  <li>Use <code>FIXME:</code> and <code>TODO:</code> tokens to mark follow up notes in code. You may also
+  <li>Use <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>FIXME:<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> and <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>TODO:<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> tokens to mark follow up notes in code. You may also
 include your Apache username and the date.</li>
-  <li>Omit <code>@author</code> tags.</li>
-  <li><code>@since</code> to document changes between Struts versions, as in <code>@since Struts 2.1.</code></li>
+  <li>Omit <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>@author<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> tags.</li>
+  <li><code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>@since<span class="w">
+</span></pre></td></tr></tbody></table>
+</code> to document changes between Struts versions, as in <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>@since Struts 2.1.<span class="w">
+</span></pre></td></tr></tbody></table>
+</code></li>
   <li>Wrap lines of code and JavaDoc at column 78. You can include a “comment rule” in the source to help with
 this.</li>
   <li>Please do your best to provide high-quality Javadocs for all source code elements. Package overviews
 (aka “Developer Guides”) are also encouraged.</li>
   <li>When working on a bugfix, please first write a test case that proves the bug exists, and then use the test
 to prove the bug is fixed. =:0)</li>
-  <li>When working on an enhancement, please feel free to use test-driven design and write the test first <code>&lt;head-slap/&gt;</code></li>
+  <li>When working on an enhancement, please feel free to use test-driven design and write the test first <code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1</pre></td><td class="code"><pre>&lt;head-slap/&gt;<span class="w">
+</span></pre></td></tr></tbody></table>
+</code></li>
   <li>As files are updated from year to year, the copyright on each file should be extended to include the current
 year. <em>You do not need to change the copyright year unless you change the file.</em>  Every source file should
 include the ASF copyright notice and current Apache License and copyright.</li>

Modified: websites/production/struts/content/security.html
==============================================================================
--- websites/production/struts/content/security.html (original)
+++ websites/production/struts/content/security.html Tue Mar 22 08:06:48 2016
@@ -129,8 +129,11 @@ before disclosing them in a public forum
 <p>We cannot accept regular bug reports or other queries at this address, we ask that you use our
 <a href="https://issues.apache.org/jira/browse/WW">issue tracker (JIRA)</a> for those.</p>
 
-<p><code>All mail sent to this address that does not relate to security problems in the Apache
-Struts source code will be ignored</code>.</p>
+<p><code class="highlighter-rouge"><table style="border-spacing: 0"><tbody><tr><td class="gutter gl" style="text-align: right"><pre class="lineno">1
+2</pre></td><td class="code"><pre>All mail sent to this address that does not relate to security problems in the Apache
+Struts source code will be ignored<span class="w">
+</span></pre></td></tr></tbody></table>
+</code>.</p>
 
 <p>Note that all networked servers are subject to denial of service attacks, and we cannot promise magic
 workarounds to generic problems (such as a client streaming lots of data to your server, or re-requesting



Mime
View raw message