struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: Referencing request parameters in struts tags.
Date Wed, 16 Nov 2016 12:12:26 GMT
Ah, was still testing. See last note, guess that's just java, hmm.


....To block both

${parameters.get('error')}
${parameters.get('error').value}

we need to escape the getValue() method rather than the toString()

@Override
        public String getValue() {
            String[] values = toStringArray();
            return (values != null && values.length > 0) ?
StringEscapeUtils.escapeHtml4(values[0]) : null;
        }

##

${parameters.get('error').getClass().getClassLoader()}

this is a scary one??  Returns the org.apache.catalina.loader.WebappClassLoader
....ouch



On 16 November 2016 at 11:46, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> pushed to git, thanks!
>
> 2016-11-16 12:12 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> > Yep it works.  It matches the <property> escaping default also. I will do
> > some more testing also.
> >
> > @override
> > public String toString() {
> >            return StringEscapeUtils.escapeHtml4(getValue());
> > }
> >
> > On 16 November 2016 at 10:58, Lukasz Lenart <lukaszlenart@apache.org>
> wrote:
> >
> >> 2016-11-16 11:53 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> >> > Sounds like a good idea and plug the whole lot in one go.
> >> >
> >> > tomcat 8 is JSP 2.3 and EL 3.0.
> >> >
> >> >
> >> > ######
> >> >
> >> > checking ${parameters.get('error')}
> >> >
> >> > uses org.apache.struts2.dispatcher.Parameter.  If I debug the class
> it
> >> is.
> >> > toStringArray() does the conversion to the string, maybe escape here?
> >> >
> >> > strValues[i] = StringEscapeUtils.escapeHtml4(String.valueOf(v));
> >>
> >> I think it's because of toString() implementation but this should be
> >> ok to escape in toString(), let me check that.
> >>
> >>
> >> Regards
> >> --
> >> Ɓukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message