struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefaan Dutry (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WW-4771) minor typos in confluence page "security.html"
Date Fri, 24 Mar 2017 20:17:41 GMT
Stefaan Dutry created WW-4771:
---------------------------------

             Summary: minor typos in confluence page "security.html"
                 Key: WW-4771
                 URL: https://issues.apache.org/jira/browse/WW-4771
             Project: Struts 2
          Issue Type: Improvement
          Components: Documentation
            Reporter: Stefaan Dutry
            Priority: Trivial


* page : [https://struts.apache.org/docs/security.html]
* spotted typos:
** inside a title
{code:none|title=current}
Do not defined setters when not needed
{code}
{code:none|title=fixed}
Do not define setters when not needed
{code}
** inside text under title {{Do not use incoming values as an input for localisation logic}}
{code:none|title=current}
All TextProvider's getText(...) methods (e.g in ActionSupport) performs evaluation of parameters
included in a message to properly localize the text. This means using incoming request parameters
with getText(...) methods is potentially dangerous and should be avoided. Se example below,
assuming that an action implements getter and setter for property message, the below code
allows inject an OGNL expression:
{code}
{code:none|title=fixed}
All TextProvider's getText(...) methods (e.g in ActionSupport) perform evaluation of parameters
included in a message to properly localize the text. This means using incoming request parameters
with getText(...) methods is potentially dangerous and should be avoided. See example below,
assuming that an action implements getter and setter for property message, the below code
allows inject an OGNL expression:
{code}
** inside text under title {{Accepted / Excluded patterns}}
{code:none|title=current}
...to check if param can accepted or must be excluded.
{code}
{code:none|title=fixed}
...to check if param can be accepted or must be excluded.
{code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message