struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Referencing request parameters in struts tags.
Date Fri, 11 Nov 2016 10:06:42 GMT
2016-11-11 9:13 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
>>Are you sure you are using the latest SNAPSHOT build? I cannot >confirm
> this locally
>>http://screencast.com/t/j5Fz7EnBD4SZ
>
> I have rechecked it and it still pops
>
> <s:text name="#parameters.error"/>
>
> struts2-core-2.5.6-SNAPSHOT.jar  and is dated 7/11/2016

What browser do you use?

>>but this is basically your fault as a developer. I'm going to mark
>>.toMap as deprecated and hide access to it.
>
> agreed, but security breaches can come from within especially on large
> projects and its easy to hide a <s:text name="getParameter('error')" />
> somewhere.
>
> Is there a reason why the s:text has such a wide usage?  I really only use
> it for text from my ApplicationResources.properties.  I use s:property for
> all the get(..) etc stuff.

<s:text/> should only be used to fetch messages from properties files
like you did, exactly what description says "Render a I18n text
message". Using it to something else is a bad idea.
I can escape the returning value, this will block JavaScript
injections like you did.

> <s:property value="#parameters.error"/>
>
> is blocked.

Cool :)


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message