struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4771) minor typos in confluence page "security.html"
Date Wed, 29 Mar 2017 14:09:41 GMT

    [ https://issues.apache.org/jira/browse/WW-4771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947194#comment-15947194
] 

Lukasz Lenart commented on WW-4771:
-----------------------------------

Nothing to worry about and yes I'm going to start porting the existing Getting Started guide
as soon I will handle all the security mess related to the Multipart parsers ;-)

> minor typos in confluence page "security.html"
> ----------------------------------------------
>
>                 Key: WW-4771
>                 URL: https://issues.apache.org/jira/browse/WW-4771
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Documentation
>            Reporter: Stefaan Dutry
>            Priority: Trivial
>              Labels: documentation
>             Fix For: 2.5.next
>
>
> * page : [https://struts.apache.org/docs/security.html]
> * spotted typos:
> ** inside a title
> {code:none|title=current}
> Do not defined setters when not needed
> {code}
> {code:none|title=fixed}
> Do not define setters when not needed
> {code}
> ** inside text under title {{Do not use incoming values as an input for localisation
logic}}
> {code:none|title=current}
> All TextProvider's getText(...) methods (e.g in ActionSupport) performs evaluation of
parameters included in a message to properly localize the text. This means using incoming
request parameters with getText(...) methods is potentially dangerous and should be avoided.
Se example below, assuming that an action implements getter and setter for property message,
the below code allows inject an OGNL expression:
> {code}
> {code:none|title=fixed}
> All TextProvider's getText(...) methods (e.g in ActionSupport) perform evaluation of
parameters included in a message to properly localize the text. This means using incoming
request parameters with getText(...) methods is potentially dangerous and should be avoided.
See example below, assuming that an action implements getter and setter for property message,
the below code allows inject an OGNL expression:
> {code}
> ** inside text under title {{Accepted / Excluded patterns}}
> {code:none|title=current}
> ...to check if param can accepted or must be excluded.
> {code}
> {code:none|title=fixed}
> ...to check if param can be accepted or must be excluded.
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message