struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: Referencing request parameters in struts tags.
Date Tue, 08 Nov 2016 12:06:39 GMT
Nearly:

<s:text name="#parameters.get('error').value"/>

This is now blocked :

#parameters.get('error').value

But:

<s:text name="#parameters.error"/>

Does the popup!

#####

Also, if I modify my class for HttpParametersAware and use the new
HttpParameters

ie
public void setParameters(HttpParameters parameters) {
        this.params = parameters.toMap();
       }
    public String getParameter(String key) {
        String[] p = (String[]) this.params.get(key);
        if (p != null && p.length > 0) {
            return p[0];
        }
        return null;
    }

then :

<s:text name="getParameter('error')" />

I also get the popup


On 8 November 2016 at 10:44, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> Pushed changes to the repo, you can test with the latest SNAPSHOT version
>
> 2016-11-02 10:28 GMT+01:00 Lukasz Lenart <lukaszlenart@apache.org>:
> > 2016-11-02 9:19 GMT+01:00 Lukasz Lenart <lukaszlenart@apache.org>:
> >> 2016-11-02 9:12 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> >>> Looking at this:
> >>>
> >>> <s:if test="#parameters.contains('error')">
> >>>   <ul><li>
> >>>     <s:text name="#parameters.get('error').value"/>
> >>>   </li></ul>
> >>> </s:if>
> >>>
> >>> and if I use :
> >>>
> >>> login.action?error=<script type="text/javascript">alert("
> ok1");</script>
> >>>
> >>> I get a js alert box popup.
> >>>
> >>> Should it be able to popup the alert box?  Thought this kind of script
> >>> should be escaped.
> >>
> >> Yeah, that's why calling directly .value in your scriplet isn't a good
> >> practise and I want to add a dedicated converter/accessor for
> >> HttpParameters to avoid such situation.
> >
> > Small progress
> >
> > These don't work as access to .value is not allowed
> > Test: <s:property value="%{#parameters.message.value}"/>
> > Test: <s:property value="%{#parameters.get('message').value}"/>
> > Test: <s:text name="%{#parameters.message.value}"/>
> > Test: <s:text name="%{#parameters.get('message').value}"/>
> >
> > These work and are safe
> > Test: <s:property value="%{#parameters.message}"/>
> > Test: <s:text name="%{#parameters.message}"/>
> >
> >
> > Regards
> > --
> > Ɓukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message