You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by chengas123 <be...@gmail.com> on 2007/11/13 19:52:27 UTC
Escaping Characters in Struts Property Tag
Hi,
I want to use the struts property tag to set a JavaScript variable.
Ordinarily, it would look something like:
var testValue = '<s:property value="testValue" />';
However, this does not work if the value has a single quote in it, so that
character needs to be escaped. It should be easy, but I can't figure out
how to do it. I can't return testValue.replaceAll("'", "\'") as I'd like to
because the quotes in the call to replaceAll would interfere with the quotes
in property tag. My only other idea was to create a class with a static
method, but I can't figure out how to call it. Would it be something like:
var testValue = '<s:property
value="@com.benmccann.util.StringUtil@javascriptEscape(comments)" />'
Thanks,
Ben
--
View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13732222
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by chengas123 <be...@gmail.com>.
Escape is true by default. It escapes HTML characters such as < and > and
not single quotes.
-Ben
Wes Wannemacher wrote:
>
> what about '<s:property value="testValue" escape="true" />'
>
> -Wes
>
>
--
View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13733962
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by Wes Wannemacher <we...@wantii.com>.
what about '<s:property value="testValue" escape="true" />'
-Wes
On 11/13/07, chengas123 <be...@gmail.com> wrote:
>
> That does not escape the single quote.
>
> -Ben
>
>
>
> DNewfield wrote:
> >
> > chengas123 wrote:
> >> var testValue = '<s:property value="testValue" />';
> >>
> >> However, this does not work if the value has a single quote in it
> >
> > Try:
> > var testValue = "<s:property value='%{testValue}'/>";
> >
> > -Dale
> >
> >
>
> --
> View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13732806
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
Wesley Wannemacher
President, Head Engineer/Consultant
WanTii, Inc.
http://www.wantii.com
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by chengas123 <be...@gmail.com>.
I do see Dale's point now about the security risk.
I'd generally agree with Dave that using a static method is basically the
same as a scriptlet. However, in this case I can't say it really belongs in
my bean. It's really more of a formatting issue. I'd hate to have my bean
have two getters for every variable: one to get it regularly and one to get
the escaped version.
Perhaps the property tag needs another attribute which would allow special
JavaScript characters to be escaped?
-Ben
newton.dave wrote:
>
> Another issue, a more stylistic one, is that using
> methods like this is barely better than scriptlets.
> Some would argue that this type of work belongs on the
> server side, especially if you're working with
> non-programming designers (although some can be
> trained to use a set of well-defined static methods
> once they have the syntax).
>
> d.
>
> --- Dale Newfield <Da...@Newfield.org> wrote:
>
>> chengas123 wrote:
>> Ahh, yes, that was my problem. I'm afraid I
>> wasn't expecting that. I don't
>> really see how allowing static method access
>> presents a security problem. Am
>> I opening myself up to any obvious risks by
>> turning this on?
>>
>> If someone submits a value in a form that you mirror
>> back to them in a
>> place that might be evaluated by ognl, then
>> "@System@exit(-1)" would be
>> a pretty evil risk, no? I'm pretty certain that the
>> most recent xwork
>> .jar prevents ognl evaluation while setting
>> parameters from the request,
>> so the path that string must take to be destructive
>> is now much more
>> convoluted.
>>
>> -Dale
>>
>
>
--
View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13752981
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by Dave Newton <ne...@yahoo.com>.
Another issue, a more stylistic one, is that using
methods like this is barely better than scriptlets.
Some would argue that this type of work belongs on the
server side, especially if you're working with
non-programming designers (although some can be
trained to use a set of well-defined static methods
once they have the syntax).
d.
--- Dale Newfield <Da...@Newfield.org> wrote:
> chengas123 wrote:
> > Ahh, yes, that was my problem. I'm afraid I
> wasn't expecting that. I don't
> > really see how allowing static method access
> presents a security problem. I
> > am opening myself up to any obvious risks by
> turning this on?
>
> If someone submits a value in a form that you mirror
> back to them in a
> place that might be evaluated by ognl, then
> "@System@exit(-1)" would be
> a pretty evil risk, no? I'm pretty certain that the
> most recent xwork
> .jar prevents ognl evaluation while setting
> parameters from the request,
> so the path that string must take to be destructive
> is now much more
> convoluted.
>
> -Dale
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by Dale Newfield <Da...@Newfield.org>.
chengas123 wrote:
> Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't
> really see how allowing static method access presents a security problem. I
> am opening myself up to any obvious risks by turning this on?
If someone submits a value in a form that you mirror back to them in a
place that might be evaluated by ognl, then "@System@exit(-1)" would be
a pretty evil risk, no? I'm pretty certain that the most recent xwork
.jar prevents ognl evaluation while setting parameters from the request,
so the path that string must take to be destructive is now much more
convoluted.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by chengas123 <be...@gmail.com>.
Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't
really see how allowing static method access presents a security problem. I
am opening myself up to any obvious risks by turning this on?
Thanks,
Ben
DNewfield wrote:
>
>
> Have you turned off this capability (or rather not turned it back on)?
> struts.ognl.allowStaticMethodAccess
> https://issues.apache.org/struts/browse/WW-2160
>
> -Dale
>
>
>
--
View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13747747
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by Dale Newfield <Da...@Newfield.org>.
>> chengas123 wrote:
>>> <s:property value="%{comments}" /> returns what I am expecting.
>>> <s:property
>>> value="%{@org.apache.commons.lang.StringEscapeUtils@escapeJavaScript(comments)}"
>>> /> returns nothing.
Have you turned off this capability (or rather not turned it back on)?
struts.ognl.allowStaticMethodAccess
https://issues.apache.org/struts/browse/WW-2160
Does:
<s:property
value='%{@org.apache.commons.lang.StringEscapeUtils@escapeJavaScript("hello
world")}'/>
work?
That might help distinguish if the problem is the static call or the
data passed into it.
I assume you've looked at all the appropriate log files to see if
there's some helpful message there?
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by chengas123 <be...@gmail.com>.
Yes. That's definitely not the problem. It's on my classpath, etc. I was
originally trying this same thing with a custom String util class that I
wrote and that did not work either. I should mention that I am using Struts
2.1.1. If I am doing this correctly, then perhaps it's a bug?
-Ben
DNewfield wrote:
>
> chengas123 wrote:
>> <s:property value="%{comments}" /> returns what I am expecting.
>> <s:property
>> value="%{@org.apache.commons.lang.StringEscapeUtils@escapeJavaScript(comments)}"
>> /> returns nothing.
>
> Do you have a commons-lang jar in your WEB-INF/lib?
>
>
--
View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13737895
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by Dale Newfield <Da...@Newfield.org>.
chengas123 wrote:
> <s:property value="%{comments}" /> returns what I am expecting.
> <s:property
> value="%{@org.apache.commons.lang.StringEscapeUtils@escapeJavaScript(comments)}"
> /> returns nothing.
Do you have a commons-lang jar in your WEB-INF/lib?
http://commons.apache.org/lang/
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by chengas123 <be...@gmail.com>.
That is basically what I had been trying all along. Am I doing anything
wrong?
<s:property value="comments" /> returns what I am expecting.
<s:property value="%{comments}" /> returns what I am expecting.
<s:property
value="@org.apache.commons.lang.StringEscapeUtils@escapeJavaScript(comments)"
/> returns nothing.
<s:property
value="%{@org.apache.commons.lang.StringEscapeUtils@escapeJavaScript(comments)}"
/> returns nothing.
Thanks,
Ben
newton.dave wrote:
>
> --- chengas123 <be...@gmail.com> wrote:
>> That brings me back to my original question though
>> which is how do I call that from within the property
> tag?
>
> http://struts.apache.org/2.x/docs/ognl-basics.html
>
> See the section called "Accessing static properties".
>
> Nutshell:
>
> <s:property
> value="@org.apache.commons.lang.StringEscapeUtils@escapeJavaScript(valWithQuotes)"/>
>
> d.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13737312
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by Dave Newton <ne...@yahoo.com>.
--- chengas123 <be...@gmail.com> wrote:
> That brings me back to my original question though
> which is how do I call that from within the property
tag?
http://struts.apache.org/2.x/docs/ognl-basics.html
See the section called "Accessing static properties".
Nutshell:
<s:property
value="@org.apache.commons.lang.StringEscapeUtils@escapeJavaScript(valWithQuotes)"/>
d.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by Dale Newfield <Da...@Newfield.org>.
chengas123 wrote:
> Thanks. I will be sure to look at that.
> That brings me back to my original question though which is how do I call
> that from within the property tag?
<s:property
value="%{@org.apache.commons.lang.StringEscapeUtils@escapeJavascript(ognlExpr)}"/>
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by chengas123 <be...@gmail.com>.
Thanks. I will be sure to look at that.
That brings me back to my original question though which is how do I call
that from within the property tag?
-Ben
DNewfield wrote:
>
> chengas123 wrote:
>> I think escaping would still be best for me
>
> Then you're looking for:
>
> org.apache.commons.lang.StringEscapeUtils.escapeJavaScript()
>
> -Dale
>
>
--
View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13735618
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by Dale Newfield <Da...@Newfield.org>.
chengas123 wrote:
> I think escaping would still be best for me
Then you're looking for:
org.apache.commons.lang.StringEscapeUtils.escapeJavaScript()
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by chengas123 <be...@gmail.com>.
Ahh, I'm afraid I'd missed that you reversed the order of the quotation
marks. I was not aware that could be done. However, what I'm actually
doing is putting the value into an onclick attribute. I'm not sure I can
use this trick because then I end up with something like
onClick="myFunction('test " value ')". So I think escaping would still be
best for me, so I get what I actually want: onClick="myFunction('test \'
value ')";
-Ben
DNewfield wrote:
>
>
> Try:
> var testValue = "<s:property value='%{testValue}'/>";
>
>
--
View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13734649
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by Dale Newfield <Da...@Newfield.org>.
chengas123 wrote:
> That does not escape the single quote.
Correct. But I believe the following is valid ecmascript (without the
single quote being escaped):
var testValue = "You've got to be kidding!";
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by chengas123 <be...@gmail.com>.
That does not escape the single quote.
-Ben
DNewfield wrote:
>
> chengas123 wrote:
>> var testValue = '<s:property value="testValue" />';
>>
>> However, this does not work if the value has a single quote in it
>
> Try:
> var testValue = "<s:property value='%{testValue}'/>";
>
> -Dale
>
>
--
View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13732806
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [struts] Escaping Characters in Struts Property Tag
Posted by Dale Newfield <Da...@Newfield.org>.
chengas123 wrote:
> var testValue = '<s:property value="testValue" />';
>
> However, this does not work if the value has a single quote in it
Try:
var testValue = "<s:property value='%{testValue}'/>";
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org