struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Referencing request parameters in struts tags.
Date Wed, 02 Nov 2016 09:28:34 GMT
2016-11-02 9:19 GMT+01:00 Lukasz Lenart <lukaszlenart@apache.org>:
> 2016-11-02 9:12 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
>> Looking at this:
>>
>> <s:if test="#parameters.contains('error')">
>>   <ul><li>
>>     <s:text name="#parameters.get('error').value"/>
>>   </li></ul>
>> </s:if>
>>
>> and if I use :
>>
>> login.action?error=<script type="text/javascript">alert("ok1");</script>
>>
>> I get a js alert box popup.
>>
>> Should it be able to popup the alert box?  Thought this kind of script
>> should be escaped.
>
> Yeah, that's why calling directly .value in your scriplet isn't a good
> practise and I want to add a dedicated converter/accessor for
> HttpParameters to avoid such situation.

Small progress

These don't work as access to .value is not allowed
Test: <s:property value="%{#parameters.message.value}"/>
Test: <s:property value="%{#parameters.get('message').value}"/>
Test: <s:text name="%{#parameters.message.value}"/>
Test: <s:text name="%{#parameters.get('message').value}"/>

These work and are safe
Test: <s:property value="%{#parameters.message}"/>
Test: <s:text name="%{#parameters.message}"/>


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message