You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by "McAleer, Richard (INT)" <Ri...@Teledyne.com> on 2016/11/01 13:39:09 UTC
Referencing request parameters in struts tags.
Hi,
I've written a question on stackoverflow but thought I might get a better response on the mailing list:
http://stackoverflow.com/questions/40360998/struts-parameters-not-accessible-in-sif-tag
The problem I'm running into sounds very similar to https://issues.apache.org/jira/browse/WW-2120 but I don't think it's the same issue based on what I found tracing through the code.
Thanks,
Richard McAleer
Senior Software Developer
[TDY_CARIS-logo-96dpi]
Teledyne CARIS, Inc.
115 Waggoners Lane
Fredericton, NB
E3B 2L4 Canada
Phone: 506.458.8533
Fax: 506.459.3849
firstname.lastname@teledyne.com<ma...@teledyne.com>
Follow us on:
[http://www.caris.com/images/emailsignature/twitter.png]<https://www.twitter.com/CARIS_GIS> [http://www.caris.com/images/emailsignature/linkedin.png] <http://www.linkedin.com/groups?mostPopular=&gid=3217878> [http://www.caris.com/images/emailsignature/facebook.png] <https://www.facebook.com/pages/CARIS-The-Marine-GIS-Experts/123907500987669?v=app_4949752878> [http://www.caris.com/images/emailsignature/youtube.png] <http://www.youtube.com/user/CARISGIS>
www.caris.com<http://www.caris.com/>
[CARIS2017_email]
June 19-22, 2017 | Ottawa, Canada
Join us for CARIS 2017 as we celebrate
the collective spirit of world hydrography.
For more information visit
www.caris.com/caris2017/<http://www.caris.com/caris2017/>
Download your free copy of CARIS Easy View today! www.caris.com/easyview<http://www.caris.com/easyview>
This email and any files transmitted with it are confidential and intended only for the addressee(s). If you are not the intended recipient(s) please notify us by email reply. You should not use, disclose, distribute or copy this communication if received in error.
Any views or opinions expressed in this email are solely those of the author and do not necessarily represent those of the company. No binding contract will result from this email until such time as a written document is signed on behalf of the company.
Re: Referencing request parameters in struts tags.
Posted by Lukasz Lenart <lu...@apache.org>.
ok, cool :)
2016-11-12 9:43 GMT+01:00 Greg Huber <gr...@gmail.com>:
>> <s:text name="<script>alert('ok')</script>" />
>>In the latest build? Because is see something like this in source page
>>Test: <script>alert(\'ok\')<\/script>
>
> OK, is escaped.
>
> <script>alert(\'ok\')<\/script>
>
> ##
>
>> script.test=<script type="text/javascript">alert("ok");</script>
>> <s:text name="script.test"/>
>
> script.test is in my .properties file, but as we are not escaping I would
> expect this to pop.
>
> My tests:
>
> <s:if test="#parameters.contains('error')">
> <ul>
> <li>
> 1<s:text name="#parameters.get('error').value"/>
> </li>
> <li>
> 2 <s:text name="#parameters.error"/>
> </li>
> <li>
> 3 <s:property value="#parameters.error"/>
> </li>
> <li>
> <s:text name="getParameter('error')" />
> </li>
> <li>
> 4 <s:property
> value="%{#parameters.get('error').value}"/>
> </li>
> <li>
> 5 <s:text name="<script>alert('ok')</script>" />
> </li>
> <li>
> 6 <s:text name="script.test"/>
> </li>
> </ul>
> </s:if>
>
> - 1#parameters.get(\'error\').value
> - 2 #parameters.error
> - 3 <script type="text/javascript">alert("ok");</script>
> - getParameter(\'error\')
> - 4
> - 5 <script>alert(\'ok\')<\/script>
> - 6
>
> #6 is the only one now that pops which is correct.
>
>
> On 12 November 2016 at 08:24, Lukasz Lenart <lu...@apache.org> wrote:
>
>> 2016-11-11 12:23 GMT+01:00 Greg Huber <gr...@gmail.com>:
>> >> <s:text name="<script>alert('ok')</script>" />
>> >
>> > ....this pops!
>>
>> In the latest build? Because is see something like this in source page
>>
>> Test: <script>alert(\'ok\')<\/script>
>>
>> >> Maybe we should've thought about renaming this tag
>> >
>> >
>> > Think we are OK here as it does say what it does, maybe could add more
>> info
>> > in the hover if we are going to change it. Currently is says "Render a
>> > I18n text message"
>> >
>> > ##
>> >
>> > <s:text name="script.test"/>
>> > script.test=<script type="text/javascript">alert("ok");</script>
>>
>> I assume you meant that "script.test=<script
>> type="text/javascript">alert("ok");</script>" is passed a request
>> parameter? So again are using the latest build because I cannot
>> confirm this.
>>
>> > ..but do have html in the ApplicationResources.properties file so
>> sometimes
>> > I want it rendered as html eg <em>Important</em> but any
>> <script></script>
>> > could be a escaped when its loaded from the file initially? Its
>> difficult
>> > to say how far to take this!
>>
>> To be clear, this won't affect your messages from .properties files,
>> so if you are using html in there you will get that html on your page,
>> it won't be escaped. Right now, after disabling searching default
>> message in ValueStack, even escaping is not needed.
>>
>> > Think reducing the scope of <s:text> is worth doing, its easy to convert
>> to
>> > <s:property> and also reduces the duplication / maintenance also.
>>
>> Yes, but both these tags have different use cases, so I would leave
>> them just improve.
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Referencing request parameters in struts tags.
Posted by Greg Huber <gr...@gmail.com>.
> <s:text name="<script>alert('ok')</script>" />
>In the latest build? Because is see something like this in source page
>Test: <script>alert(\'ok\')<\/script>
OK, is escaped.
<script>alert(\'ok\')<\/script>
##
> script.test=<script type="text/javascript">alert("ok");</script>
> <s:text name="script.test"/>
script.test is in my .properties file, but as we are not escaping I would
expect this to pop.
My tests:
<s:if test="#parameters.contains('error')">
<ul>
<li>
1<s:text name="#parameters.get('error').value"/>
</li>
<li>
2 <s:text name="#parameters.error"/>
</li>
<li>
3 <s:property value="#parameters.error"/>
</li>
<li>
<s:text name="getParameter('error')" />
</li>
<li>
4 <s:property
value="%{#parameters.get('error').value}"/>
</li>
<li>
5 <s:text name="<script>alert('ok')</script>" />
</li>
<li>
6 <s:text name="script.test"/>
</li>
</ul>
</s:if>
- 1#parameters.get(\'error\').value
- 2 #parameters.error
- 3 <script type="text/javascript">alert("ok");</script>
- getParameter(\'error\')
- 4
- 5 <script>alert(\'ok\')<\/script>
- 6
#6 is the only one now that pops which is correct.
On 12 November 2016 at 08:24, Lukasz Lenart <lu...@apache.org> wrote:
> 2016-11-11 12:23 GMT+01:00 Greg Huber <gr...@gmail.com>:
> >> <s:text name="<script>alert('ok')</script>" />
> >
> > ....this pops!
>
> In the latest build? Because is see something like this in source page
>
> Test: <script>alert(\'ok\')<\/script>
>
> >> Maybe we should've thought about renaming this tag
> >
> >
> > Think we are OK here as it does say what it does, maybe could add more
> info
> > in the hover if we are going to change it. Currently is says "Render a
> > I18n text message"
> >
> > ##
> >
> > <s:text name="script.test"/>
> > script.test=<script type="text/javascript">alert("ok");</script>
>
> I assume you meant that "script.test=<script
> type="text/javascript">alert("ok");</script>" is passed a request
> parameter? So again are using the latest build because I cannot
> confirm this.
>
> > ..but do have html in the ApplicationResources.properties file so
> sometimes
> > I want it rendered as html eg <em>Important</em> but any
> <script></script>
> > could be a escaped when its loaded from the file initially? Its
> difficult
> > to say how far to take this!
>
> To be clear, this won't affect your messages from .properties files,
> so if you are using html in there you will get that html on your page,
> it won't be escaped. Right now, after disabling searching default
> message in ValueStack, even escaping is not needed.
>
> > Think reducing the scope of <s:text> is worth doing, its easy to convert
> to
> > <s:property> and also reduces the duplication / maintenance also.
>
> Yes, but both these tags have different use cases, so I would leave
> them just improve.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: Referencing request parameters in struts tags.
Posted by Lukasz Lenart <lu...@apache.org>.
2016-11-11 12:23 GMT+01:00 Greg Huber <gr...@gmail.com>:
>> <s:text name="<script>alert('ok')</script>" />
>
> ....this pops!
In the latest build? Because is see something like this in source page
Test: <script>alert(\'ok\')<\/script>
>> Maybe we should've thought about renaming this tag
>
>
> Think we are OK here as it does say what it does, maybe could add more info
> in the hover if we are going to change it. Currently is says "Render a
> I18n text message"
>
> ##
>
> <s:text name="script.test"/>
> script.test=<script type="text/javascript">alert("ok");</script>
I assume you meant that "script.test=<script
type="text/javascript">alert("ok");</script>" is passed a request
parameter? So again are using the latest build because I cannot
confirm this.
> ..but do have html in the ApplicationResources.properties file so sometimes
> I want it rendered as html eg <em>Important</em> but any <script></script>
> could be a escaped when its loaded from the file initially? Its difficult
> to say how far to take this!
To be clear, this won't affect your messages from .properties files,
so if you are using html in there you will get that html on your page,
it won't be escaped. Right now, after disabling searching default
message in ValueStack, even escaping is not needed.
> Think reducing the scope of <s:text> is worth doing, its easy to convert to
> <s:property> and also reduces the duplication / maintenance also.
Yes, but both these tags have different use cases, so I would leave
them just improve.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Referencing request parameters in struts tags.
Posted by Greg Huber <gr...@gmail.com>.
> <s:text name="<script>alert('ok')</script>" />
....this pops!
> Maybe we should've thought about renaming this tag
Think we are OK here as it does say what it does, maybe could add more info
in the hover if we are going to change it. Currently is says "Render a
I18n text message"
##
<s:text name="script.test"/>
script.test=<script type="text/javascript">alert("ok");</script>
this pops
..but do have html in the ApplicationResources.properties file so sometimes
I want it rendered as html eg <em>Important</em> but any <script></script>
could be a escaped when its loaded from the file initially? Its difficult
to say how far to take this!
Think reducing the scope of <s:text> is worth doing, its easy to convert to
<s:property> and also reduces the duplication / maintenance also.
On 11 November 2016 at 10:42, Lukasz Lenart <lu...@apache.org> wrote:
> 2016-11-11 11:21 GMT+01:00 Greg Huber <gr...@gmail.com>:
> >> What browser do you use?
> >
> > firefox 45.4.0 on centos
>
> Yeah... on Chrome it doesn't work that's why I wasn't able to reprodyce :)
>
> >><s:text/> should only be used to fetch messages from properties files
> >>like you did, exactly what description says "Render a I18n text
> >>message". Using it to something else is a bad idea.
> >>I can escape the returning value, this will block JavaScript
> >>injections like you did.
> >
> > Maybe worth only allowing <s:text/> from .properties, as its says in the
> > description?? ...For easier maintenance and escaping might slow it down
> > even more!!
>
> Hm... good suggestion, escaping can slow down the whole processing
> also it's a case with defaultMessage, I mean passed "name" by default
> is set as a defaultMessage so
>
> <s:text name="<script>alert('ok')</script>" />
>
> will try to find a property with key "<script>alert('ok')</script>"
> but it will fail and fallback to default message which is
> "<script>alert('ok')</script>" - so we must defend the defaultMessage
> plus disable evaluating it against a ValueStack.
>
> Thanks!
>
> https://issues.apache.org/jira/browse/WW-4711
> https://issues.apache.org/jira/browse/WW-4712
>
> > When I started using struts I made the mistake of using <s:text/>
> > incorrectly where I should have used <s:properties/> as it works. Also I
> > had no idea that these hidden #parameters etc exist.
>
> Maybe we should've thought about renaming this tag
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: Referencing request parameters in struts tags.
Posted by Greg Huber <gr...@gmail.com>.
I did a scanned through my jsps for s:text (3480 matches!) and this is the
only thing I can find that is non standard:
<s:iterator var="item" value="list">
<s:text name="%{#item.key}" />
<s:iterator>
ie its looking for a #item.key (ie form.value=some text) from the
.properties file:
this does not work:
<s:text name="%{<s:property value='#dg.key' />}" />
and returns:
form.value
On 11 November 2016 at 10:42, Lukasz Lenart <lu...@apache.org> wrote:
> 2016-11-11 11:21 GMT+01:00 Greg Huber <gr...@gmail.com>:
> >> What browser do you use?
> >
> > firefox 45.4.0 on centos
>
> Yeah... on Chrome it doesn't work that's why I wasn't able to reprodyce :)
>
> >><s:text/> should only be used to fetch messages from properties files
> >>like you did, exactly what description says "Render a I18n text
> >>message". Using it to something else is a bad idea.
> >>I can escape the returning value, this will block JavaScript
> >>injections like you did.
> >
> > Maybe worth only allowing <s:text/> from .properties, as its says in the
> > description?? ...For easier maintenance and escaping might slow it down
> > even more!!
>
> Hm... good suggestion, escaping can slow down the whole processing
> also it's a case with defaultMessage, I mean passed "name" by default
> is set as a defaultMessage so
>
> <s:text name="<script>alert('ok')</script>" />
>
> will try to find a property with key "<script>alert('ok')</script>"
> but it will fail and fallback to default message which is
> "<script>alert('ok')</script>" - so we must defend the defaultMessage
> plus disable evaluating it against a ValueStack.
>
> Thanks!
>
> https://issues.apache.org/jira/browse/WW-4711
> https://issues.apache.org/jira/browse/WW-4712
>
> > When I started using struts I made the mistake of using <s:text/>
> > incorrectly where I should have used <s:properties/> as it works. Also I
> > had no idea that these hidden #parameters etc exist.
>
> Maybe we should've thought about renaming this tag
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: Referencing request parameters in struts tags.
Posted by Greg Huber <gr...@gmail.com>.
...This works as a work around
<s:property value="%{getText(#dg.key)}" />
which is using the getText(..) from the action class.
On 11 November 2016 at 10:42, Lukasz Lenart <lu...@apache.org> wrote:
> 2016-11-11 11:21 GMT+01:00 Greg Huber <gr...@gmail.com>:
> >> What browser do you use?
> >
> > firefox 45.4.0 on centos
>
> Yeah... on Chrome it doesn't work that's why I wasn't able to reprodyce :)
>
> >><s:text/> should only be used to fetch messages from properties files
> >>like you did, exactly what description says "Render a I18n text
> >>message". Using it to something else is a bad idea.
> >>I can escape the returning value, this will block JavaScript
> >>injections like you did.
> >
> > Maybe worth only allowing <s:text/> from .properties, as its says in the
> > description?? ...For easier maintenance and escaping might slow it down
> > even more!!
>
> Hm... good suggestion, escaping can slow down the whole processing
> also it's a case with defaultMessage, I mean passed "name" by default
> is set as a defaultMessage so
>
> <s:text name="<script>alert('ok')</script>" />
>
> will try to find a property with key "<script>alert('ok')</script>"
> but it will fail and fallback to default message which is
> "<script>alert('ok')</script>" - so we must defend the defaultMessage
> plus disable evaluating it against a ValueStack.
>
> Thanks!
>
> https://issues.apache.org/jira/browse/WW-4711
> https://issues.apache.org/jira/browse/WW-4712
>
> > When I started using struts I made the mistake of using <s:text/>
> > incorrectly where I should have used <s:properties/> as it works. Also I
> > had no idea that these hidden #parameters etc exist.
>
> Maybe we should've thought about renaming this tag
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: Referencing request parameters in struts tags.
Posted by Lukasz Lenart <lu...@apache.org>.
2016-11-11 11:21 GMT+01:00 Greg Huber <gr...@gmail.com>:
>> What browser do you use?
>
> firefox 45.4.0 on centos
Yeah... on Chrome it doesn't work that's why I wasn't able to reprodyce :)
>><s:text/> should only be used to fetch messages from properties files
>>like you did, exactly what description says "Render a I18n text
>>message". Using it to something else is a bad idea.
>>I can escape the returning value, this will block JavaScript
>>injections like you did.
>
> Maybe worth only allowing <s:text/> from .properties, as its says in the
> description?? ...For easier maintenance and escaping might slow it down
> even more!!
Hm... good suggestion, escaping can slow down the whole processing
also it's a case with defaultMessage, I mean passed "name" by default
is set as a defaultMessage so
<s:text name="<script>alert('ok')</script>" />
will try to find a property with key "<script>alert('ok')</script>"
but it will fail and fallback to default message which is
"<script>alert('ok')</script>" - so we must defend the defaultMessage
plus disable evaluating it against a ValueStack.
Thanks!
https://issues.apache.org/jira/browse/WW-4711
https://issues.apache.org/jira/browse/WW-4712
> When I started using struts I made the mistake of using <s:text/>
> incorrectly where I should have used <s:properties/> as it works. Also I
> had no idea that these hidden #parameters etc exist.
Maybe we should've thought about renaming this tag
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Referencing request parameters in struts tags.
Posted by Greg Huber <gr...@gmail.com>.
> What browser do you use?
firefox 45.4.0 on centos
><s:text/> should only be used to fetch messages from properties files
>like you did, exactly what description says "Render a I18n text
>message". Using it to something else is a bad idea.
>I can escape the returning value, this will block JavaScript
>injections like you did.
Maybe worth only allowing <s:text/> from .properties, as its says in the
description?? ...For easier maintenance and escaping might slow it down
even more!!
When I started using struts I made the mistake of using <s:text/>
incorrectly where I should have used <s:properties/> as it works. Also I
had no idea that these hidden #parameters etc exist.
Cheers
On 11 November 2016 at 10:06, Lukasz Lenart <lu...@apache.org> wrote:
> 2016-11-11 9:13 GMT+01:00 Greg Huber <gr...@gmail.com>:
> >>Are you sure you are using the latest SNAPSHOT build? I cannot >confirm
> > this locally
> >>http://screencast.com/t/j5Fz7EnBD4SZ
> >
> > I have rechecked it and it still pops
> >
> > <s:text name="#parameters.error"/>
> >
> > struts2-core-2.5.6-SNAPSHOT.jar and is dated 7/11/2016
>
> What browser do you use?
>
> >>but this is basically your fault as a developer. I'm going to mark
> >>.toMap as deprecated and hide access to it.
> >
> > agreed, but security breaches can come from within especially on large
> > projects and its easy to hide a <s:text name="getParameter('error')" />
> > somewhere.
> >
> > Is there a reason why the s:text has such a wide usage? I really only
> use
> > it for text from my ApplicationResources.properties. I use s:property
> for
> > all the get(..) etc stuff.
>
> <s:text/> should only be used to fetch messages from properties files
> like you did, exactly what description says "Render a I18n text
> message". Using it to something else is a bad idea.
> I can escape the returning value, this will block JavaScript
> injections like you did.
>
> > <s:property value="#parameters.error"/>
> >
> > is blocked.
>
> Cool :)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: Referencing request parameters in struts tags.
Posted by Lukasz Lenart <lu...@apache.org>.
2016-11-11 9:13 GMT+01:00 Greg Huber <gr...@gmail.com>:
>>Are you sure you are using the latest SNAPSHOT build? I cannot >confirm
> this locally
>>http://screencast.com/t/j5Fz7EnBD4SZ
>
> I have rechecked it and it still pops
>
> <s:text name="#parameters.error"/>
>
> struts2-core-2.5.6-SNAPSHOT.jar and is dated 7/11/2016
What browser do you use?
>>but this is basically your fault as a developer. I'm going to mark
>>.toMap as deprecated and hide access to it.
>
> agreed, but security breaches can come from within especially on large
> projects and its easy to hide a <s:text name="getParameter('error')" />
> somewhere.
>
> Is there a reason why the s:text has such a wide usage? I really only use
> it for text from my ApplicationResources.properties. I use s:property for
> all the get(..) etc stuff.
<s:text/> should only be used to fetch messages from properties files
like you did, exactly what description says "Render a I18n text
message". Using it to something else is a bad idea.
I can escape the returning value, this will block JavaScript
injections like you did.
> <s:property value="#parameters.error"/>
>
> is blocked.
Cool :)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Referencing request parameters in struts tags.
Posted by Greg Huber <gr...@gmail.com>.
>Are you sure you are using the latest SNAPSHOT build? I cannot >confirm
this locally
>http://screencast.com/t/j5Fz7EnBD4SZ
I have rechecked it and it still pops
<s:text name="#parameters.error"/>
struts2-core-2.5.6-SNAPSHOT.jar and is dated 7/11/2016
>but this is basically your fault as a developer. I'm going to mark
>.toMap as deprecated and hide access to it.
agreed, but security breaches can come from within especially on large
projects and its easy to hide a <s:text name="getParameter('error')" />
somewhere.
Is there a reason why the s:text has such a wide usage? I really only use
it for text from my ApplicationResources.properties. I use s:property for
all the get(..) etc stuff.
and
<s:property value="#parameters.error"/>
is blocked.
On 10 November 2016 at 19:02, Lukasz Lenart <lu...@apache.org> wrote:
> 2016-11-08 13:06 GMT+01:00 Greg Huber <gr...@gmail.com>:
> > Nearly:
> >
> > <s:text name="#parameters.get('error').value"/>
> >
> > This is now blocked :
> >
> > #parameters.get('error').value
> >
> > But:
> >
> > <s:text name="#parameters.error"/>
> >
> > Does the popup!
>
> Are you sure you are using the latest SNAPSHOT build? I cannot confirm
> this locally
> http://screencast.com/t/j5Fz7EnBD4SZ
>
> > #####
> >
> > Also, if I modify my class for HttpParametersAware and use the new
> > HttpParameters
> >
> > ie
> > public void setParameters(HttpParameters parameters) {
> > this.params = parameters.toMap();
> > }
> > public String getParameter(String key) {
> > String[] p = (String[]) this.params.get(key);
> > if (p != null && p.length > 0) {
> > return p[0];
> > }
> > return null;
> > }
> >
> > then :
> >
> > <s:text name="getParameter('error')" />
> >
> > I also get the popup
>
> but this is basically your fault as a developer. I'm going to mark
> .toMap as deprecated and hide access to it.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: Referencing request parameters in struts tags.
Posted by Lukasz Lenart <lu...@apache.org>.
2016-11-08 13:06 GMT+01:00 Greg Huber <gr...@gmail.com>:
> Nearly:
>
> <s:text name="#parameters.get('error').value"/>
>
> This is now blocked :
>
> #parameters.get('error').value
>
> But:
>
> <s:text name="#parameters.error"/>
>
> Does the popup!
Are you sure you are using the latest SNAPSHOT build? I cannot confirm
this locally
http://screencast.com/t/j5Fz7EnBD4SZ
> #####
>
> Also, if I modify my class for HttpParametersAware and use the new
> HttpParameters
>
> ie
> public void setParameters(HttpParameters parameters) {
> this.params = parameters.toMap();
> }
> public String getParameter(String key) {
> String[] p = (String[]) this.params.get(key);
> if (p != null && p.length > 0) {
> return p[0];
> }
> return null;
> }
>
> then :
>
> <s:text name="getParameter('error')" />
>
> I also get the popup
but this is basically your fault as a developer. I'm going to mark
.toMap as deprecated and hide access to it.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Referencing request parameters in struts tags.
Posted by Greg Huber <gr...@gmail.com>.
Nearly:
<s:text name="#parameters.get('error').value"/>
This is now blocked :
#parameters.get('error').value
But:
<s:text name="#parameters.error"/>
Does the popup!
#####
Also, if I modify my class for HttpParametersAware and use the new
HttpParameters
ie
public void setParameters(HttpParameters parameters) {
this.params = parameters.toMap();
}
public String getParameter(String key) {
String[] p = (String[]) this.params.get(key);
if (p != null && p.length > 0) {
return p[0];
}
return null;
}
then :
<s:text name="getParameter('error')" />
I also get the popup
On 8 November 2016 at 10:44, Lukasz Lenart <lu...@apache.org> wrote:
> Pushed changes to the repo, you can test with the latest SNAPSHOT version
>
> 2016-11-02 10:28 GMT+01:00 Lukasz Lenart <lu...@apache.org>:
> > 2016-11-02 9:19 GMT+01:00 Lukasz Lenart <lu...@apache.org>:
> >> 2016-11-02 9:12 GMT+01:00 Greg Huber <gr...@gmail.com>:
> >>> Looking at this:
> >>>
> >>> <s:if test="#parameters.contains('error')">
> >>> <ul><li>
> >>> <s:text name="#parameters.get('error').value"/>
> >>> </li></ul>
> >>> </s:if>
> >>>
> >>> and if I use :
> >>>
> >>> login.action?error=<script type="text/javascript">alert("
> ok1");</script>
> >>>
> >>> I get a js alert box popup.
> >>>
> >>> Should it be able to popup the alert box? Thought this kind of script
> >>> should be escaped.
> >>
> >> Yeah, that's why calling directly .value in your scriplet isn't a good
> >> practise and I want to add a dedicated converter/accessor for
> >> HttpParameters to avoid such situation.
> >
> > Small progress
> >
> > These don't work as access to .value is not allowed
> > Test: <s:property value="%{#parameters.message.value}"/>
> > Test: <s:property value="%{#parameters.get('message').value}"/>
> > Test: <s:text name="%{#parameters.message.value}"/>
> > Test: <s:text name="%{#parameters.get('message').value}"/>
> >
> > These work and are safe
> > Test: <s:property value="%{#parameters.message}"/>
> > Test: <s:text name="%{#parameters.message}"/>
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: Referencing request parameters in struts tags.
Posted by Lukasz Lenart <lu...@apache.org>.
Pushed changes to the repo, you can test with the latest SNAPSHOT version
2016-11-02 10:28 GMT+01:00 Lukasz Lenart <lu...@apache.org>:
> 2016-11-02 9:19 GMT+01:00 Lukasz Lenart <lu...@apache.org>:
>> 2016-11-02 9:12 GMT+01:00 Greg Huber <gr...@gmail.com>:
>>> Looking at this:
>>>
>>> <s:if test="#parameters.contains('error')">
>>> <ul><li>
>>> <s:text name="#parameters.get('error').value"/>
>>> </li></ul>
>>> </s:if>
>>>
>>> and if I use :
>>>
>>> login.action?error=<script type="text/javascript">alert("ok1");</script>
>>>
>>> I get a js alert box popup.
>>>
>>> Should it be able to popup the alert box? Thought this kind of script
>>> should be escaped.
>>
>> Yeah, that's why calling directly .value in your scriplet isn't a good
>> practise and I want to add a dedicated converter/accessor for
>> HttpParameters to avoid such situation.
>
> Small progress
>
> These don't work as access to .value is not allowed
> Test: <s:property value="%{#parameters.message.value}"/>
> Test: <s:property value="%{#parameters.get('message').value}"/>
> Test: <s:text name="%{#parameters.message.value}"/>
> Test: <s:text name="%{#parameters.get('message').value}"/>
>
> These work and are safe
> Test: <s:property value="%{#parameters.message}"/>
> Test: <s:text name="%{#parameters.message}"/>
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Referencing request parameters in struts tags.
Posted by Lukasz Lenart <lu...@apache.org>.
2016-11-02 9:19 GMT+01:00 Lukasz Lenart <lu...@apache.org>:
> 2016-11-02 9:12 GMT+01:00 Greg Huber <gr...@gmail.com>:
>> Looking at this:
>>
>> <s:if test="#parameters.contains('error')">
>> <ul><li>
>> <s:text name="#parameters.get('error').value"/>
>> </li></ul>
>> </s:if>
>>
>> and if I use :
>>
>> login.action?error=<script type="text/javascript">alert("ok1");</script>
>>
>> I get a js alert box popup.
>>
>> Should it be able to popup the alert box? Thought this kind of script
>> should be escaped.
>
> Yeah, that's why calling directly .value in your scriplet isn't a good
> practise and I want to add a dedicated converter/accessor for
> HttpParameters to avoid such situation.
Small progress
These don't work as access to .value is not allowed
Test: <s:property value="%{#parameters.message.value}"/>
Test: <s:property value="%{#parameters.get('message').value}"/>
Test: <s:text name="%{#parameters.message.value}"/>
Test: <s:text name="%{#parameters.get('message').value}"/>
These work and are safe
Test: <s:property value="%{#parameters.message}"/>
Test: <s:text name="%{#parameters.message}"/>
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Referencing request parameters in struts tags.
Posted by Lukasz Lenart <lu...@apache.org>.
2016-11-02 9:12 GMT+01:00 Greg Huber <gr...@gmail.com>:
> Looking at this:
>
> <s:if test="#parameters.contains('error')">
> <ul><li>
> <s:text name="#parameters.get('error').value"/>
> </li></ul>
> </s:if>
>
> and if I use :
>
> login.action?error=<script type="text/javascript">alert("ok1");</script>
>
> I get a js alert box popup.
>
> Should it be able to popup the alert box? Thought this kind of script
> should be escaped.
Yeah, that's why calling directly .value in your scriplet isn't a good
practise and I want to add a dedicated converter/accessor for
HttpParameters to avoid such situation.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Referencing request parameters in struts tags.
Posted by Greg Huber <gr...@gmail.com>.
Looking at this:
<s:if test="#parameters.contains('error')">
<ul><li>
<s:text name="#parameters.get('error').value"/>
</li></ul>
</s:if>
and if I use :
login.action?error=<script type="text/javascript">alert("ok1");</script>
I get a js alert box popup.
Should it be able to popup the alert box? Thought this kind of script
should be escaped.
On 2 November 2016 at 07:22, Lukasz Lenart <lu...@apache.org> wrote:
> 2016-11-01 14:39 GMT+01:00 McAleer, Richard (INT) <
> Richard.McAleer@teledyne.com>:
>
> > Hi,
> >
> > I’ve written a question on stackoverflow but thought I might get a better
> > response on the mailing list:
> >
> >
> >
> > http://stackoverflow.com/questions/40360998/struts-
> > parameters-not-accessible-in-sif-tag
> >
> >
> >
> > The problem I’m running into sounds very similar to
> > https://issues.apache.org/jira/browse/WW-2120 but I don’t think it’s the
> > same issue based on what I found tracing through the code.
> >
> >
>
> I posted a comment but it would be better to register a bug in JIRA.
>
>
> Thanks & regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
Re: Referencing request parameters in struts tags.
Posted by Lukasz Lenart <lu...@apache.org>.
2016-11-01 14:39 GMT+01:00 McAleer, Richard (INT) <
Richard.McAleer@teledyne.com>:
> Hi,
>
> I’ve written a question on stackoverflow but thought I might get a better
> response on the mailing list:
>
>
>
> http://stackoverflow.com/questions/40360998/struts-
> parameters-not-accessible-in-sif-tag
>
>
>
> The problem I’m running into sounds very similar to
> https://issues.apache.org/jira/browse/WW-2120 but I don’t think it’s the
> same issue based on what I found tracing through the code.
>
>
I posted a comment but it would be better to register a bug in JIRA.
Thanks & regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/