struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yasser Zamani (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4742) Problem with escape when the key from getText has no value
Date Sat, 25 Feb 2017 07:53:44 GMT

    [ https://issues.apache.org/jira/browse/WW-4742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15884137#comment-15884137
] 

Yasser Zamani commented on WW-4742:
-----------------------------------

[~mtsbarbosa], you're right. You want to see key itself when Struts could not find it's value
in any way. Maybe Struts wants to prevent script injection by those lines using [Apache Commons
Lang|http://commons.apache.org/proper/commons-lang/index.html] but I do not know why Apache
Commons Lang also escape unicodes while scripts do not have any problem with unicodes!

I will be working on it via Apache Commons Lang to apply best possible solution.

Thank you!

> Problem with escape when the key from getText has no value
> ----------------------------------------------------------
>
>                 Key: WW-4742
>                 URL: https://issues.apache.org/jira/browse/WW-4742
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Tags
>    Affects Versions: 2.5.8, 2.5.10
>            Reporter: Mateus Carvalho
>            Priority: Minor
>             Fix For: 2.5.next
>
>
> When using an encoding like ISO-8859-1 and having the following situation:
> {code:title=message.ftl|borderStyle=solid}
> ...
> <@s.text name="Obrigatório - not mapped word in any dictionary" />
> ...
> {code}
> We have the following output after update 2.5.8:
> {code}
> Obrigat\u00F3rio - not mapped word in any dictionary
> {code}
> After careful look at the source code and issues from the 2.5.8 I found the problem happens
just in one added line on WW-4712, the following part of the code:
> {code:title=TextProviderHelper.java|borderStyle=solid}
> ...
> public static String getText(String key, String defaultMessage, List<Object> args,
ValueStack stack, boolean searchStack) {
> ...
> //This escape causes the problem
> msg = StringEscapeUtils.escapeEcmaScript(msg);
> ...
> }
> ...
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message