struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Referencing request parameters in struts tags.
Date Sat, 12 Nov 2016 09:04:13 GMT
ok, cool :)

2016-11-12 9:43 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
>> <s:text name="<script>alert('ok')</script>" />
>>In the latest build? Because is see something like this in source page
>>Test: &lt;script&gt;alert(\'ok\')&lt;\/script&gt;
>
> OK, is escaped.
>
> <script>alert(\'ok\')<\/script>
>
> ##
>
>> script.test=<script type="text/javascript">alert("ok");</script>
>> <s:text name="script.test"/>
>
> script.test is in my .properties file, but as we are not escaping I would
> expect this to pop.
>
> My tests:
>
> <s:if test="#parameters.contains('error')">
>                 <ul>
>                     <li>
>                         1<s:text name="#parameters.get('error').value"/>
>                     </li>
>                     <li>
>                         2 <s:text name="#parameters.error"/>
>                     </li>
>                     <li>
>                         3 <s:property value="#parameters.error"/>
>                     </li>
>                     <li>
>                         <s:text name="getParameter('error')" />
>                     </li>
>                     <li>
>                         4 <s:property
> value="%{#parameters.get('error').value}"/>
>                     </li>
>                     <li>
>                         5 <s:text name="<script>alert('ok')</script>"
/>
>                     </li>
>                     <li>
>                         6 <s:text name="script.test"/>
>                     </li>
>                 </ul>
>             </s:if>
>
>    - 1#parameters.get(\'error\').value
>    - 2 #parameters.error
>    - 3 <script type="text/javascript">alert("ok");</script>
>    - getParameter(\'error\')
>    - 4
>    - 5 <script>alert(\'ok\')<\/script>
>    - 6
>
> #6 is the only one now that pops which is correct.
>
>
> On 12 November 2016 at 08:24, Lukasz Lenart <lukaszlenart@apache.org> wrote:
>
>> 2016-11-11 12:23 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
>> >> <s:text name="<script>alert('ok')</script>" />
>> >
>> > ....this pops!
>>
>> In the latest build? Because is see something like this in source page
>>
>> Test: &lt;script&gt;alert(\'ok\')&lt;\/script&gt;
>>
>> >> Maybe we should've thought about renaming this tag
>> >
>> >
>> > Think we are OK here as it does say what it does, maybe could add more
>> info
>> > in the hover if we are going to change it.  Currently is says "Render a
>> > I18n text message"
>> >
>> > ##
>> >
>> > <s:text name="script.test"/>
>> > script.test=<script type="text/javascript">alert("ok");</script>
>>
>> I assume you meant that "script.test=<script
>> type="text/javascript">alert("ok");</script>" is passed a request
>> parameter? So again are using the latest build because I cannot
>> confirm this.
>>
>> > ..but do have html in the ApplicationResources.properties file so
>> sometimes
>> > I want it rendered as html eg <em>Important</em> but any
>> <script></script>
>> > could be a escaped when its loaded from the file initially?  Its
>> difficult
>> > to say how far to take this!
>>
>> To be clear, this won't affect your messages from .properties files,
>> so if you are using html in there you will get that html on your page,
>> it won't be escaped. Right now, after disabling searching default
>> message in ValueStack, even escaping is not needed.
>>
>> > Think reducing the scope of <s:text> is worth doing, its easy to convert
>> to
>> > <s:property> and also reduces the duplication / maintenance also.
>>
>> Yes, but both these tags have different use cases, so I would leave
>> them just improve.
>>
>>
>> Regards
>> --
>> Ɓukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message