struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: Referencing request parameters in struts tags.
Date Sat, 12 Nov 2016 08:43:12 GMT
> <s:text name="<script>alert('ok')</script>" />
>In the latest build? Because is see something like this in source page
>Test: &lt;script&gt;alert(\'ok\')&lt;\/script&gt;

OK, is escaped.

<script>alert(\'ok\')<\/script>

##

> script.test=<script type="text/javascript">alert("ok");</script>
> <s:text name="script.test"/>

script.test is in my .properties file, but as we are not escaping I would
expect this to pop.

My tests:

<s:if test="#parameters.contains('error')">
                <ul>
                    <li>
                        1<s:text name="#parameters.get('error').value"/>
                    </li>
                    <li>
                        2 <s:text name="#parameters.error"/>
                    </li>
                    <li>
                        3 <s:property value="#parameters.error"/>
                    </li>
                    <li>
                        <s:text name="getParameter('error')" />
                    </li>
                    <li>
                        4 <s:property
value="%{#parameters.get('error').value}"/>
                    </li>
                    <li>
                        5 <s:text name="<script>alert('ok')</script>" />
                    </li>
                    <li>
                        6 <s:text name="script.test"/>
                    </li>
                </ul>
            </s:if>

   - 1#parameters.get(\'error\').value
   - 2 #parameters.error
   - 3 <script type="text/javascript">alert("ok");</script>
   - getParameter(\'error\')
   - 4
   - 5 <script>alert(\'ok\')<\/script>
   - 6

#6 is the only one now that pops which is correct.


On 12 November 2016 at 08:24, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> 2016-11-11 12:23 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> >> <s:text name="<script>alert('ok')</script>" />
> >
> > ....this pops!
>
> In the latest build? Because is see something like this in source page
>
> Test: &lt;script&gt;alert(\'ok\')&lt;\/script&gt;
>
> >> Maybe we should've thought about renaming this tag
> >
> >
> > Think we are OK here as it does say what it does, maybe could add more
> info
> > in the hover if we are going to change it.  Currently is says "Render a
> > I18n text message"
> >
> > ##
> >
> > <s:text name="script.test"/>
> > script.test=<script type="text/javascript">alert("ok");</script>
>
> I assume you meant that "script.test=<script
> type="text/javascript">alert("ok");</script>" is passed a request
> parameter? So again are using the latest build because I cannot
> confirm this.
>
> > ..but do have html in the ApplicationResources.properties file so
> sometimes
> > I want it rendered as html eg <em>Important</em> but any
> <script></script>
> > could be a escaped when its loaded from the file initially?  Its
> difficult
> > to say how far to take this!
>
> To be clear, this won't affect your messages from .properties files,
> so if you are using html in there you will get that html on your page,
> it won't be escaped. Right now, after disabling searching default
> message in ValueStack, even escaping is not needed.
>
> > Think reducing the scope of <s:text> is worth doing, its easy to convert
> to
> > <s:property> and also reduces the duplication / maintenance also.
>
> Yes, but both these tags have different use cases, so I would leave
> them just improve.
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message