What about:
* All developers are strongly advised to update Struts 2 applications
to Struts 2.0.11.1 to prevent XSS attacks through Struts 2 tags.
In this way, we aren't quite so in-your-face and a quick summary of
the issue and what part of Struts 2 is affected is included. The
qualifier is
On Mon, Mar 3, 2008 at 6:11 PM, Gary Johnston [EMAIL PROTECTED] wrote:
Thanks to those who answered my original question. The gist of the
responses seemed to be that, no, Struts 1.3.9 will not move up to BeanUtils
1.8.0 (will stay at 1.7.0). So now I'm wondering why not. Is it mostly
just
Yes, sounds good to me. How about the criticality rating in the
bulletin? Critical was - I have to admit :) - just copied from 001,
what would be a fitting rating here?
Don Brown schrieb:
What about:
* All developers are strongly advised to update Struts 2 applications
to Struts 2.0.11.1 to
Or even;
* All developers using user inputted data in s:a and s:url tags are
strongly advised to upgrade in order to increase protection against cross
site scripting attacks.
That way we don't spook people into thinking there something fundamentally
wrong with the whole framework (and I
Well, this was the first hit on google:
http://www.microsoft.com/technet/security/bulletin/rating.mspx
Therefore, I'd say Moderate to Important.
Don
On 3/4/08, Rene Gielen [EMAIL PROTECTED] wrote:
Yes, sounds good to me. How about the criticality rating in the
bulletin? Critical was - I have
I agree on using cross site scripting in favor of XSS. IMO we should not
get that detailed on tag usage to say it is about user inputted data to
s:a /s:url. People may rate their projects wrong because the
vulnerability starts with includeParamsnone, which does not make it
obvious to most people
Just browsing the results of a search to xss severity on Google, at a
first glance most people seem to rate XSS exploits as high, which would
map to Important in MS speech.
Am Di, 4.03.2008, 10:39, schrieb Don Brown:
Well, this was the first hit on google:
I had a similar problem as you mentioned...
I found a work around.
The culprit was something of the sort in the header
META HTTP-EQUIV=Expires CONTENT=0 (or -1)
It seemed like it was fooling IE7 to think that the content is already expired.
( ? )
This seems to support my theory...
http://www.tildemark.com/browsers/ie7-always-keep-a-cache-of-the-visited-pages.html
-
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=60129messageID=325380#325380
This is not an issue. If you want better documentation, then add to
one of the existing issues about that.
Please ask questions on the users list.
Thank you
On Tue, Mar 4, 2008 at 4:14 AM, Kris Coolsaet (JIRA) [EMAIL PROTECTED] wrote:
Wildcard mappings match not as expected
I was playing around with JUEL plugin last night, and while running
the example I saw the first input on the form had my name on it. I
spent 10 minutes trying to figure out how it knew it was me, until I
(gave up) looked at the code and saw my name was hardcoded there. Nice
work Tom :)
//is
I've been hard-coding your name into everything I do; keeps people from
sending me emails.
So if you get an email from my ex don't be alarmed. She's mostly harmless.
--- Musachy Barroso [EMAIL PROTECTED] wrote:
I was playing around with JUEL plugin last night, and while running
the example I
2008/3/4, Musachy Barroso [EMAIL PROTECTED]:
//is anybody else doing/planning to do anything on this plugin?
Well, in fact I could help externally, since I would like to add JUEL
support to Tiles:
https://issues.apache.org/struts/browse/TILES-48
Is there already a codebase for this plugin?
It is in the sandbox.
musachy
On Tue, Mar 4, 2008 at 9:32 AM, Antonio Petrelli
[EMAIL PROTECTED] wrote:
2008/3/4, Musachy Barroso [EMAIL PROTECTED]:
//is anybody else doing/planning to do anything on this plugin?
Well, in fact I could help externally, since I would like to add JUEL
LOL Oh, I didn't tell you, the JUEL plugin has some experimental
psychic code in it. Part of the Apache 'I know what you did last
summer!' project. :)
Tom
Musachy Barroso wrote:
I was playing around with JUEL plugin last night, and while running
the example I saw the first input on the form
On 3/4/08, Dave Newton [EMAIL PROTECTED] wrote:
I've been hard-coding your name into everything I do; keeps people from
sending me emails.
Same here. I always thought he liked the extra attention ;-)
Phil
So if you get an email from my ex don't be alarmed. She's mostly harmless.
---
Hi guys,
Sorry, but it is not quite clear for me if the JSP EL is disable in struts2
tags or not. I'vev seen that static methods calls is disabled.
Thanks,
Felipe
--
View this message in context:
http://www.nabble.com/Issue-WW-2107-question---Is-JSTL-disable-or-not--tp15830208p15830208.html
Hey folks, this is my first post. I have a little problem with an arrayList.
I'm trying to populate a drop down box in my main JSP. This is what's
happening. I have a dynaactionform with a years property which is an
arraylist of reportYear objects. A reportYear object has a getYear and a
--- jmejiaa [EMAIL PROTECTED] wrote:
Hey folks, this is my first post. I have a little problem with an
arrayList.
I'm trying to populate a drop down box in my main JSP. This is what's
happening. I have a dynaactionform with a years property which is an
arraylist of reportYear objects. A
oops, Should I duplicate my post or will someone eventually move it over?
Thanks
--
View this message in context:
http://www.nabble.com/Populating-a-drop-down-with-dynaactionform-arrayList-tp15839874p15839955.html
Sent from the Struts - Dev mailing list archive at Nabble.com.
--- jmejiaa [EMAIL PROTECTED] wrote:
oops, Should I duplicate my post or will someone eventually move it over?
You should re-post to the user list.
You'll probably want to include a code snippet, too :)
Dave
-
To
21 matches
Mail list logo