struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Referencing request parameters in struts tags.
Date Tue, 08 Nov 2016 10:44:52 GMT
Pushed changes to the repo, you can test with the latest SNAPSHOT version

2016-11-02 10:28 GMT+01:00 Lukasz Lenart <lukaszlenart@apache.org>:
> 2016-11-02 9:19 GMT+01:00 Lukasz Lenart <lukaszlenart@apache.org>:
>> 2016-11-02 9:12 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
>>> Looking at this:
>>>
>>> <s:if test="#parameters.contains('error')">
>>>   <ul><li>
>>>     <s:text name="#parameters.get('error').value"/>
>>>   </li></ul>
>>> </s:if>
>>>
>>> and if I use :
>>>
>>> login.action?error=<script type="text/javascript">alert("ok1");</script>
>>>
>>> I get a js alert box popup.
>>>
>>> Should it be able to popup the alert box?  Thought this kind of script
>>> should be escaped.
>>
>> Yeah, that's why calling directly .value in your scriplet isn't a good
>> practise and I want to add a dedicated converter/accessor for
>> HttpParameters to avoid such situation.
>
> Small progress
>
> These don't work as access to .value is not allowed
> Test: <s:property value="%{#parameters.message.value}"/>
> Test: <s:property value="%{#parameters.get('message').value}"/>
> Test: <s:text name="%{#parameters.message.value}"/>
> Test: <s:text name="%{#parameters.get('message').value}"/>
>
> These work and are safe
> Test: <s:property value="%{#parameters.message}"/>
> Test: <s:text name="%{#parameters.message}"/>
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message