Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 0A668200C46 for ; Wed, 29 Mar 2017 16:09:49 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 0856A160B95; Wed, 29 Mar 2017 14:09:49 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 50CBF160B8A for ; Wed, 29 Mar 2017 16:09:48 +0200 (CEST) Received: (qmail 59659 invoked by uid 500); 29 Mar 2017 14:09:47 -0000 Mailing-List: contact issues-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list issues@struts.apache.org Received: (qmail 59620 invoked by uid 99); 29 Mar 2017 14:09:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Mar 2017 14:09:46 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id BDE341AA980 for ; Wed, 29 Mar 2017 14:09:45 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id urH6m8juA1IY for ; Wed, 29 Mar 2017 14:09:45 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id CBDE65FE44 for ; Wed, 29 Mar 2017 14:09:43 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 511D4E08BB for ; Wed, 29 Mar 2017 14:09:43 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id E292024176 for ; Wed, 29 Mar 2017 14:09:41 +0000 (UTC) Date: Wed, 29 Mar 2017 14:09:41 +0000 (UTC) From: "Lukasz Lenart (JIRA)" To: issues@struts.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (WW-4771) minor typos in confluence page "security.html" MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 29 Mar 2017 14:09:49 -0000 [ https://issues.apache.org/jira/browse/WW-4771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947194#comment-15947194 ] Lukasz Lenart commented on WW-4771: ----------------------------------- Nothing to worry about and yes I'm going to start porting the existing Getting Started guide as soon I will handle all the security mess related to the Multipart parsers ;-) > minor typos in confluence page "security.html" > ---------------------------------------------- > > Key: WW-4771 > URL: https://issues.apache.org/jira/browse/WW-4771 > Project: Struts 2 > Issue Type: Improvement > Components: Documentation > Reporter: Stefaan Dutry > Priority: Trivial > Labels: documentation > Fix For: 2.5.next > > > * page : [https://struts.apache.org/docs/security.html] > * spotted typos: > ** inside a title > {code:none|title=current} > Do not defined setters when not needed > {code} > {code:none|title=fixed} > Do not define setters when not needed > {code} > ** inside text under title {{Do not use incoming values as an input for localisation logic}} > {code:none|title=current} > All TextProvider's getText(...) methods (e.g in ActionSupport) performs evaluation of parameters included in a message to properly localize the text. This means using incoming request parameters with getText(...) methods is potentially dangerous and should be avoided. Se example below, assuming that an action implements getter and setter for property message, the below code allows inject an OGNL expression: > {code} > {code:none|title=fixed} > All TextProvider's getText(...) methods (e.g in ActionSupport) perform evaluation of parameters included in a message to properly localize the text. This means using incoming request parameters with getText(...) methods is potentially dangerous and should be avoided. See example below, assuming that an action implements getter and setter for property message, the below code allows inject an OGNL expression: > {code} > ** inside text under title {{Accepted / Excluded patterns}} > {code:none|title=current} > ...to check if param can accepted or must be excluded. > {code} > {code:none|title=fixed} > ...to check if param can be accepted or must be excluded. > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)