struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: Referencing request parameters in struts tags.
Date Fri, 11 Nov 2016 08:13:00 GMT
>Are you sure you are using the latest SNAPSHOT build? I cannot >confirm
this locally
>http://screencast.com/t/j5Fz7EnBD4SZ

I have rechecked it and it still pops

<s:text name="#parameters.error"/>

struts2-core-2.5.6-SNAPSHOT.jar  and is dated 7/11/2016

>but this is basically your fault as a developer. I'm going to mark
>.toMap as deprecated and hide access to it.

agreed, but security breaches can come from within especially on large
projects and its easy to hide a <s:text name="getParameter('error')" />
somewhere.

Is there a reason why the s:text has such a wide usage?  I really only use
it for text from my ApplicationResources.properties.  I use s:property for
all the get(..) etc stuff.

and

<s:property value="#parameters.error"/>

is blocked.



On 10 November 2016 at 19:02, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> 2016-11-08 13:06 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> > Nearly:
> >
> > <s:text name="#parameters.get('error').value"/>
> >
> > This is now blocked :
> >
> > #parameters.get('error').value
> >
> > But:
> >
> > <s:text name="#parameters.error"/>
> >
> > Does the popup!
>
> Are you sure you are using the latest SNAPSHOT build? I cannot confirm
> this locally
> http://screencast.com/t/j5Fz7EnBD4SZ
>
> > #####
> >
> > Also, if I modify my class for HttpParametersAware and use the new
> > HttpParameters
> >
> > ie
> > public void setParameters(HttpParameters parameters) {
> >         this.params = parameters.toMap();
> >        }
> >     public String getParameter(String key) {
> >         String[] p = (String[]) this.params.get(key);
> >         if (p != null && p.length > 0) {
> >             return p[0];
> >         }
> >         return null;
> >     }
> >
> > then :
> >
> > <s:text name="getParameter('error')" />
> >
> > I also get the popup
>
> but this is basically your fault as a developer. I'm going to mark
> .toMap as deprecated and hide access to it.
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message