struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <>
Subject Re: Referencing request parameters in struts tags.
Date Fri, 11 Nov 2016 10:42:47 GMT
2016-11-11 11:21 GMT+01:00 Greg Huber <>:
>> What browser do you use?
> firefox 45.4.0 on centos

Yeah... on Chrome it doesn't work that's why I wasn't able to reprodyce :)

>><s:text/> should only be used to fetch messages from properties files
>>like you did, exactly what description says "Render a I18n text
>>message". Using it to something else is a bad idea.
>>I can escape the returning value, this will block JavaScript
>>injections like you did.
> Maybe worth only allowing <s:text/> from .properties, as its says in the
> description?? ...For easier maintenance and escaping might slow it down
> even more!!

Hm... good suggestion, escaping can slow down the whole processing
also it's a case with defaultMessage, I mean passed "name" by default
is set as a defaultMessage so

<s:text name="<script>alert('ok')</script>" />

will try to find a property with key "<script>alert('ok')</script>"
but it will fail and fallback to default message which is
"<script>alert('ok')</script>" - so we must defend the defaultMessage
plus disable evaluating it against a ValueStack.


> When I started using struts I made the mistake of using <s:text/>
> incorrectly where I should have used <s:properties/> as it works.  Also I
> had no idea that these hidden #parameters etc exist.

Maybe we should've thought about renaming this tag

+ 48 606 323 122

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message