struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <>
Subject Re: Referencing request parameters in struts tags.
Date Fri, 11 Nov 2016 10:06:42 GMT
2016-11-11 9:13 GMT+01:00 Greg Huber <>:
>>Are you sure you are using the latest SNAPSHOT build? I cannot >confirm
> this locally
> I have rechecked it and it still pops
> <s:text name="#parameters.error"/>
> struts2-core-2.5.6-SNAPSHOT.jar  and is dated 7/11/2016

What browser do you use?

>>but this is basically your fault as a developer. I'm going to mark
>>.toMap as deprecated and hide access to it.
> agreed, but security breaches can come from within especially on large
> projects and its easy to hide a <s:text name="getParameter('error')" />
> somewhere.
> Is there a reason why the s:text has such a wide usage?  I really only use
> it for text from my  I use s:property for
> all the get(..) etc stuff.

<s:text/> should only be used to fetch messages from properties files
like you did, exactly what description says "Render a I18n text
message". Using it to something else is a bad idea.
I can escape the returning value, this will block JavaScript
injections like you did.

> <s:property value="#parameters.error"/>
> is blocked.

Cool :)

+ 48 606 323 122

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message