struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefaan Dutry (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (WW-4771) minor typos in confluence page "security.html"
Date Sun, 26 Mar 2017 20:55:41 GMT

     [ https://issues.apache.org/jira/browse/WW-4771?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Stefaan Dutry resolved WW-4771.
-------------------------------
    Resolution: Fixed

> minor typos in confluence page "security.html"
> ----------------------------------------------
>
>                 Key: WW-4771
>                 URL: https://issues.apache.org/jira/browse/WW-4771
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Documentation
>            Reporter: Stefaan Dutry
>            Priority: Trivial
>              Labels: documentation
>
> * page : [https://struts.apache.org/docs/security.html]
> * spotted typos:
> ** inside a title
> {code:none|title=current}
> Do not defined setters when not needed
> {code}
> {code:none|title=fixed}
> Do not define setters when not needed
> {code}
> ** inside text under title {{Do not use incoming values as an input for localisation
logic}}
> {code:none|title=current}
> All TextProvider's getText(...) methods (e.g in ActionSupport) performs evaluation of
parameters included in a message to properly localize the text. This means using incoming
request parameters with getText(...) methods is potentially dangerous and should be avoided.
Se example below, assuming that an action implements getter and setter for property message,
the below code allows inject an OGNL expression:
> {code}
> {code:none|title=fixed}
> All TextProvider's getText(...) methods (e.g in ActionSupport) perform evaluation of
parameters included in a message to properly localize the text. This means using incoming
request parameters with getText(...) methods is potentially dangerous and should be avoided.
See example below, assuming that an action implements getter and setter for property message,
the below code allows inject an OGNL expression:
> {code}
> ** inside text under title {{Accepted / Excluded patterns}}
> {code:none|title=current}
> ...to check if param can accepted or must be excluded.
> {code}
> {code:none|title=fixed}
> ...to check if param can be accepted or must be excluded.
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message