struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: Referencing request parameters in struts tags.
Date Fri, 11 Nov 2016 12:30:45 GMT
I did a scanned through my jsps for s:text (3480 matches!) and this is the
only thing I can find that is non standard:

<s:iterator var="item" value="list">
  <s:text name="%{#item.key}" />
<s:iterator>

ie its looking for a #item.key (ie form.value=some text) from the
.properties file:

this does not work:
<s:text name="%{<s:property value='#dg.key' />}" />

and returns:

form.value



On 11 November 2016 at 10:42, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> 2016-11-11 11:21 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> >> What browser do you use?
> >
> > firefox 45.4.0 on centos
>
> Yeah... on Chrome it doesn't work that's why I wasn't able to reprodyce :)
>
> >><s:text/> should only be used to fetch messages from properties files
> >>like you did, exactly what description says "Render a I18n text
> >>message". Using it to something else is a bad idea.
> >>I can escape the returning value, this will block JavaScript
> >>injections like you did.
> >
> > Maybe worth only allowing <s:text/> from .properties, as its says in the
> > description?? ...For easier maintenance and escaping might slow it down
> > even more!!
>
> Hm... good suggestion, escaping can slow down the whole processing
> also it's a case with defaultMessage, I mean passed "name" by default
> is set as a defaultMessage so
>
> <s:text name="<script>alert('ok')</script>" />
>
> will try to find a property with key "<script>alert('ok')</script>"
> but it will fail and fallback to default message which is
> "<script>alert('ok')</script>" - so we must defend the defaultMessage
> plus disable evaluating it against a ValueStack.
>
> Thanks!
>
> https://issues.apache.org/jira/browse/WW-4711
> https://issues.apache.org/jira/browse/WW-4712
>
> > When I started using struts I made the mistake of using <s:text/>
> > incorrectly where I should have used <s:properties/> as it works.  Also I
> > had no idea that these hidden #parameters etc exist.
>
> Maybe we should've thought about renaming this tag
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message