struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Newfield <>
Subject Re: Localised text tag
Date Wed, 08 May 2013 05:16:21 GMT
It seems like an evaluation of a value, which could be bad, in fact a large security hole.
 What if that value were "System.exit()"? (I forget my ognl...I think you need fully qualified
path and a hash or at or something to call static methods, but you get the point.)


On May 7, 2013, at 11:10 PM, Zoran Avtarovski <> wrote:

> I have a small issue that I'm trying to resolve and I was hoping the someone
> might have come across it earlier.
> I'll try to explain as best I can:
> I have a number of objects on the value stack:
> 1. pojo  - a java object with a string attribute called key which links to a
> DB based localised text value
> 2. movement ­ another java object with a string attribute called strength
> To display the localised text associated with the pojo key I use the
> following tag
> <s:text name="%{pojo.key}" />
> The problem is that if the key value clashes with another item on the value
> stack I don't get the string value.
> For example if the key value on pojo is "movement.strength" and the strength
> value for movement is "weak" I don't get the expected results. Instead of
> getting the localised text with key "movement.strength" I get the localised
> text with key "weak". I tried setting the searchValueStack property to false
> but it made no change.
> I'd appreciate any help.
> Z.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message