struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: Referencing request parameters in struts tags.
Date Wed, 16 Nov 2016 10:53:00 GMT
Sounds like a good idea and plug the whole lot in one go.

tomcat 8 is JSP 2.3 and EL 3.0.


######

checking ${parameters.get('error')}

uses org.apache.struts2.dispatcher.Parameter.  If I debug the class it is.
toStringArray() does the conversion to the string, maybe escape here?

strValues[i] = StringEscapeUtils.escapeHtml4(String.valueOf(v));



On 16 November 2016 at 08:35, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> 2016-11-15 9:11 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> > Sorry, back on this again :(
> >
> > Can we check this one?  Pops for me.
> >
> > login.action?error=<script type="text/javascript">alert("ok");</script>
> >
> > ${parameters.get('error')}
> > ${parameters.get('error').value}
> >
> >
> > Where does the ${} reference stuff come from?
>
> It's because of JSTL, I meant Struts supports direct EL calls with
> expressions enclosed in ${} - not sure if we can do anything about
> this :\
> Struts is using JSP API 2.0, starting with JSP API 2.1 it is possible
> to register custom ELResolvers [1] which can be used in the same way
> as we did for OGNL.
>
> [1] https://docs.oracle.com/javaee/6/api/javax/el/ELResolver.html
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message