Inline handlers and content security policy in struts2 6.3

[Aleksandr Kubar <ku...@gmail.com>]

Hello,

I migrate struts2 from version 2.5 to 6.3 and now I have observed lots of
Security Content Policy warnings. I found information about new struts
"script" and "link" tags and I introduced them in my app, but I still have
many warning regarding inline handlers like: onlick, onchange etc. I did
not find whether struts2 offers any tools to overcome this by placing a new
special tag or something, the only way I found is replacing inline handlers
with event listeners moved to JS file or block.


I would like to ask whether there is any inbuilt solution from struts2 to
handle inline handlers or maybe something planned to do in next releases?


Many thanks,

Aleksandr

Re: Inline handlers and content security policy in struts2 6.3

[Dave Newton <da...@gmail.com>]

On Wed, Mar 13, 2024 at 10:43 AM Aleksandr Kubar <ku...@gmail.com>
wrote:

> I would like to ask whether there is any inbuilt solution from struts2 to
> handle inline handlers or maybe something planned to do in next releases?
>

You mean like something that gathers up all the inline handlers and shovels
them into an external block?

I don't know of anything that does this or is planned. It seems like it'd
be a risky automation to generalize.

I would say that it's something that could likely be automated *locally* in
that JSP parsing is (reasonably) straightforward and could be done with
existing text-based tools.

I'd still probably just do it by hand, but I could see the usefulness of a
first-pass being done w/ some small scripting.

d.