struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: Referencing request parameters in struts tags.
Date Fri, 11 Nov 2016 11:23:56 GMT
> <s:text name="<script>alert('ok')</script>" />

....this pops!

> Maybe we should've thought about renaming this tag


Think we are OK here as it does say what it does, maybe could add more info
in the hover if we are going to change it.  Currently is says "Render a
I18n text message"

##

<s:text name="script.test"/>
script.test=<script type="text/javascript">alert("ok");</script>

this pops

..but do have html in the ApplicationResources.properties file so sometimes
I want it rendered as html eg <em>Important</em> but any <script></script>
could be a escaped when its loaded from the file initially?  Its difficult
to say how far to take this!

Think reducing the scope of <s:text> is worth doing, its easy to convert to
<s:property> and also reduces the duplication / maintenance also.


On 11 November 2016 at 10:42, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> 2016-11-11 11:21 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> >> What browser do you use?
> >
> > firefox 45.4.0 on centos
>
> Yeah... on Chrome it doesn't work that's why I wasn't able to reprodyce :)
>
> >><s:text/> should only be used to fetch messages from properties files
> >>like you did, exactly what description says "Render a I18n text
> >>message". Using it to something else is a bad idea.
> >>I can escape the returning value, this will block JavaScript
> >>injections like you did.
> >
> > Maybe worth only allowing <s:text/> from .properties, as its says in the
> > description?? ...For easier maintenance and escaping might slow it down
> > even more!!
>
> Hm... good suggestion, escaping can slow down the whole processing
> also it's a case with defaultMessage, I mean passed "name" by default
> is set as a defaultMessage so
>
> <s:text name="<script>alert('ok')</script>" />
>
> will try to find a property with key "<script>alert('ok')</script>"
> but it will fail and fallback to default message which is
> "<script>alert('ok')</script>" - so we must defend the defaultMessage
> plus disable evaluating it against a ValueStack.
>
> Thanks!
>
> https://issues.apache.org/jira/browse/WW-4711
> https://issues.apache.org/jira/browse/WW-4712
>
> > When I started using struts I made the mistake of using <s:text/>
> > incorrectly where I should have used <s:properties/> as it works.  Also I
> > had no idea that these hidden #parameters etc exist.
>
> Maybe we should've thought about renaming this tag
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message