struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Referencing request parameters in struts tags.
Date Fri, 11 Nov 2016 10:42:47 GMT
2016-11-11 11:21 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
>> What browser do you use?
>
> firefox 45.4.0 on centos

Yeah... on Chrome it doesn't work that's why I wasn't able to reprodyce :)

>><s:text/> should only be used to fetch messages from properties files
>>like you did, exactly what description says "Render a I18n text
>>message". Using it to something else is a bad idea.
>>I can escape the returning value, this will block JavaScript
>>injections like you did.
>
> Maybe worth only allowing <s:text/> from .properties, as its says in the
> description?? ...For easier maintenance and escaping might slow it down
> even more!!

Hm... good suggestion, escaping can slow down the whole processing
also it's a case with defaultMessage, I mean passed "name" by default
is set as a defaultMessage so

<s:text name="<script>alert('ok')</script>" />

will try to find a property with key "<script>alert('ok')</script>"
but it will fail and fallback to default message which is
"<script>alert('ok')</script>" - so we must defend the defaultMessage
plus disable evaluating it against a ValueStack.

Thanks!

https://issues.apache.org/jira/browse/WW-4711
https://issues.apache.org/jira/browse/WW-4712

> When I started using struts I made the mistake of using <s:text/>
> incorrectly where I should have used <s:properties/> as it works.  Also I
> had no idea that these hidden #parameters etc exist.

Maybe we should've thought about renaming this tag


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message