struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (WW-4171) getText methods are not documented as evaluating OGNL
Date Tue, 06 Aug 2013 06:26:48 GMT

    [ https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13730425#comment-13730425
] 

Lukasz Lenart edited comment on WW-4171 at 8/6/13 6:25 AM:
-----------------------------------------------------------

I think you a bit demonise here. The first parameter isn't evaluated as an OGNL expression
- is just a key used to look up in a resource bundle:

{code:java|title=LocalizedTextUtil, line 683}
String message = TextParseUtil.translateVariables(bundle.getString(key), valueStack);
{code}

and just the value from resource bundle is evaluated as an expression which is rather obvious
if you have something like this in a properties file

{code:xml|title=package.properties}
requiredstring = ${getText(fieldName)} is required.
{code}

http://struts.apache.org/development/2.x/docs/localizing-output.html

I have added a note about evaluation to the docs

https://cwiki.apache.org/confluence/display/WW/Localization#Localization-Examples
                
      was (Author: lukaszlenart):
    I think you a bit demonise here. The first parameter isn't evaluated as an OGNL expression
- is just a key used to look up in a resource bundle:

{code:java|title=LocalizedTextUtil, line 683}
String message = TextParseUtil.translateVariables(bundle.getString(key), valueStack);
{code}

and just the value from resource bundle is evaluated as an expression which is rather obvious
if you have something like this in a properties file

{code|title=package.properties}
requiredstring = ${getText(fieldName)} is required.
{code}

http://struts.apache.org/development/2.x/docs/localizing-output.html

I have added a note about evaluation to the docs

https://cwiki.apache.org/confluence/display/WW/Localization#Localization-Examples
                  
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
>                 Key: WW-4171
>                 URL: https://issues.apache.org/jira/browse/WW-4171
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 2.3.15.1
>            Reporter: Coverity Security Research Laboratory
>              Labels: security
>
> The methods below evaluate OGNL as their first parameter. However they are not documented
as evaluating OGNL. We have observed this occurring in one project and are contacting the
affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None of these
methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as evaluating OGNL
since this may come as a surprise to some developers.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message