struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Referencing request parameters in struts tags.
Date Wed, 02 Nov 2016 08:19:24 GMT
2016-11-02 9:12 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> Looking at this:
>
> <s:if test="#parameters.contains('error')">
>   <ul><li>
>     <s:text name="#parameters.get('error').value"/>
>   </li></ul>
> </s:if>
>
> and if I use :
>
> login.action?error=<script type="text/javascript">alert("ok1");</script>
>
> I get a js alert box popup.
>
> Should it be able to popup the alert box?  Thought this kind of script
> should be escaped.

Yeah, that's why calling directly .value in your scriplet isn't a good
practise and I want to add a dedicated converter/accessor for
HttpParameters to avoid such situation.


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message