struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: Referencing request parameters in struts tags.
Date Fri, 11 Nov 2016 10:21:31 GMT
> What browser do you use?

firefox 45.4.0 on centos

><s:text/> should only be used to fetch messages from properties files
>like you did, exactly what description says "Render a I18n text
>message". Using it to something else is a bad idea.
>I can escape the returning value, this will block JavaScript
>injections like you did.

Maybe worth only allowing <s:text/> from .properties, as its says in the
description?? ...For easier maintenance and escaping might slow it down
even more!!

When I started using struts I made the mistake of using <s:text/>
incorrectly where I should have used <s:properties/> as it works.  Also I
had no idea that these hidden #parameters etc exist.

Cheers





On 11 November 2016 at 10:06, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> 2016-11-11 9:13 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> >>Are you sure you are using the latest SNAPSHOT build? I cannot >confirm
> > this locally
> >>http://screencast.com/t/j5Fz7EnBD4SZ
> >
> > I have rechecked it and it still pops
> >
> > <s:text name="#parameters.error"/>
> >
> > struts2-core-2.5.6-SNAPSHOT.jar  and is dated 7/11/2016
>
> What browser do you use?
>
> >>but this is basically your fault as a developer. I'm going to mark
> >>.toMap as deprecated and hide access to it.
> >
> > agreed, but security breaches can come from within especially on large
> > projects and its easy to hide a <s:text name="getParameter('error')" />
> > somewhere.
> >
> > Is there a reason why the s:text has such a wide usage?  I really only
> use
> > it for text from my ApplicationResources.properties.  I use s:property
> for
> > all the get(..) etc stuff.
>
> <s:text/> should only be used to fetch messages from properties files
> like you did, exactly what description says "Render a I18n text
> message". Using it to something else is a bad idea.
> I can escape the returning value, this will block JavaScript
> injections like you did.
>
> > <s:property value="#parameters.error"/>
> >
> > is blocked.
>
> Cool :)
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message