struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Referencing request parameters in struts tags.
Date Wed, 16 Nov 2016 12:23:48 GMT
2016-11-16 13:12 GMT+01:00 Greg Huber <gregh3269@gmail.com>:
> Ah, was still testing. See last note, guess that's just java, hmm.
>
>
> ....To block both
>
> ${parameters.get('error')}
> ${parameters.get('error').value}
>
> we need to escape the getValue() method rather than the toString()
>
> @Override
>         public String getValue() {
>             String[] values = toStringArray();
>             return (values != null && values.length > 0) ?
> StringEscapeUtils.escapeHtml4(values[0]) : null;
>         }

but this can harm users, in most cases you want to get a raw value of
a parameter because you are accessing #parameters directly.
HttpServletRequest#getParameters() doesn't perform escaping so the
same is here.

> ${parameters.get('error').getClass().getClassLoader()}
>
> this is a scary one??  Returns the org.apache.catalina.loader.WebappClassLoader
> ....ouch

we were there with OGNL and now UEL is going the same way ;-)


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message