This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new b1c386f Updates stage by Jenkins
b1c386f is described below
commit b1c386f583411a00547d5c61050c9d6e5aaf0915
Author: jenkins <[email protected]>
AuthorDate: Fri Feb 19 20:08:50 2021 +0000
Updates stage by Jenkins
---
content/announce-2020.html | 315 +++++++++++++++++++++
content/{index.html => announce-2021.html} | 185 ++++++------
...essing-application-session-request-objects.html | 22 +-
content/index.html | 10 +-
content/tag-developers/set-tag.html | 7 +-
content/tag-developers/text-tag.html | 5 +
content/tag-developers/url-tag.html | 5 +
7 files changed, 437 insertions(+), 112 deletions(-)
diff --git a/content/announce-2020.html b/content/announce-2020.html
new file mode 100644
index 0000000..09b3377
--- /dev/null
+++ b/content/announce-2020.html
@@ -0,0 +1,315 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8"/>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+ <meta name="Date-Revision-yyyymmdd" content="20140918"/>
+ <meta http-equiv="Content-Language" content="en"/>
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+
+ <title>Announcements 2020</title>
+
+ <link
href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic"
rel="stylesheet" type="text/css">
+ <link
href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css"
rel="stylesheet">
+ <link href="/css/main.css" rel="stylesheet">
+ <link href="/css/custom.css" rel="stylesheet">
+ <link href="/highlighter/github-theme.css" rel="stylesheet">
+
+ <script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
+ <script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
+ <script type="text/javascript" src="/js/community.js"></script>
+</head>
+<body>
+
+<a href="http://github.com/apache/struts"; class="github-ribbon">
+ <img style="position: absolute; right: 0; border: 0;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png";
alt="Fork me on GitHub">
+</a>
+
+<header>
+ <nav>
+ <div role="navigation" class="navbar navbar-default navbar-fixed-top">
+ <div class="container">
+ <div class="navbar-header">
+ <button type="button" data-toggle="collapse"
data-target="#struts-menu" class="navbar-toggle">
+ Menu
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a href="/index.html" class="navbar-brand logo"><img
src="/img/struts-logo.svg"></a>
+ </div>
+ <div id="struts-menu" class="navbar-collapse collapse">
+ <ul class="nav navbar-nav">
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Home<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/index.html">Welcome</a></li>
+ <li><a href="/download.cgi">Download</a></li>
+ <li><a href="/releases.html">Releases</a></li>
+ <li><a href="/announce.html">Announcements</a></li>
+ <li><a href="http://www.apache.org/licenses/";>License</a></li>
+ <li><a
href="https://www.apache.org/foundation/thanks.html";>Thanks!</a></li>
+ <li><a
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Support<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/mail.html">User Mailing List</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/WW";>Issue
Tracker</a></li>
+ <li><a href="/security.html">Reporting Security Issues</a></li>
+ <li class="divider"></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Migration+Guide";>Version
Notes</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins";>Security
Bulletins</a></li>
+ <li class="divider"></li>
+ <li><a href="/maven/project-info.html">Maven Project
Info</a></li>
+ <li><a href="/maven/struts2-core/dependencies.html">Struts
Core Dependencies</a></li>
+ <li><a href="/maven/struts2-plugins/modules.html">Plugin
Dependencies</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Documentation<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/birdseye.html">Birds Eye</a></li>
+ <li><a href="/primer.html">Key Technologies</a></li>
+ <li><a href="/kickstart.html">Kickstart FAQ</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Home";>Wiki</a></li>
+ <li class="divider"></li>
+ <li><a href="/getting-started/">Getting Started</a></li>
+ <li><a href="/security/">Security Guide</a></li>
+ <li><a href="/core-developers/">Core Developers Guide</a></li>
+ <li><a href="/tag-developers/">Tag Developers Guide</a></li>
+ <li><a href="/maven-archetypes/">Maven Archetypes</a></li>
+ <li><a href="/plugins/">Plugins</a></li>
+ <li><a href="/maven/struts2-core/apidocs/index.html">Struts
Core API</a></li>
+ <li><a href="/tag-developers/tag-reference.html">Tag
reference</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/FAQs";>FAQs</a></li>
+ <li><a
href="http://cwiki.apache.org/S2PLUGINS/home.html";>Plugin registry</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a data-toggle="dropdown" href="#" class="dropdown-toggle">
+ Contributing<b class="caret"></b>
+ </a>
+ <ul class="dropdown-menu">
+ <li><a href="/youatstruts.html">You at Struts</a></li>
+ <li><a href="/helping.html">How to Help FAQ</a></li>
+ <li><a href="/dev-mail.html">Development Lists</a></li>
+ <li><a href="/contributors/">Contributors Guide</a></li>
+ <li class="divider"></li>
+ <li><a href="/submitting-patches.html">Submitting
patches</a></li>
+ <li><a href="/builds.html">Source Code and Builds</a></li>
+ <li><a href="/coding-standards.html">Coding standards</a></li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/Contributors+Guide";>Contributors
Guide</a></li>
+ <li class="divider"></li>
+ <li><a href="/release-guidelines.html">Release
Guidelines</a></li>
+ <li><a href="/bylaws.html">PMC Charter</a></li>
+ <li><a href="/volunteers.html">Volunteers</a></li>
+ <li><a
href="https://gitbox.apache.org/repos/asf?p=struts.git";>Source
Repository</a></li>
+ <li><a href="/updating-website.html">Updating the
website</a></li>
+ </ul>
+ </li>
+ <li class="apache"><a href="http://www.apache.org/";><img
src="/img/apache.png"></a></li>
+ </ul>
+ </div>
+ </div>
+ </div>
+ </nav>
+</header>
+
+
+<article class="container">
+ <section class="col-md-12">
+ <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/announce-2020.md";
title="Edit this page on GitHub">Edit on GitHub</a>
+
+ <h1 class="no_toc" id="announcements-2020">Announcements 2020</h1>
+
+<ul id="markdown-toc">
+ <li><a href="#a20201208" id="markdown-toc-a20201208">08 December 2020 -
Potential RCE when using forced evaluation - CVE-2020-17530</a></li>
+ <li><a href="#a20201206" id="markdown-toc-a20201206">06 December 2020 -
Struts 2.5.26 General Availability</a></li>
+ <li><a href="#a20200928" id="markdown-toc-a20200928">28 September 2020 -
Struts 2.5.25 General Availability</a></li>
+ <li><a href="#a20200813" id="markdown-toc-a20200813">13 August 2020 -
Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233
(DoS) security issues</a></li>
+</ul>
+
+<p class="pull-right">
+ Skip to: <a href="announce-2019.html">Announcements - 2019</a>
+</p>
+
+<h4 id="a20201208">08 December 2020 - Potential RCE when using forced
evaluation - CVE-2020-17530</h4>
+
+<p>The Apache Struts Security team would like to announce that forced OGNL
evaluation, when evaluated on raw user input
+in tag attributes, may lead to remote code execution.</p>
+
+<p><strong>Problem</strong></p>
+
+<p>Some of the tag’s attributes could perform a double evaluation if a
developer applied forced OGNL evaluation
+by using the <code class="highlighter-rouge">%{...}</code> syntax. Using
forced OGNL evaluation on untrusted user input can lead to a Remote Code
Execution
+and security degradation.</p>
+
+<p><strong>Solution</strong></p>
+
+<p>Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade
to Struts 2.5.26 which checks if expression
+evaluation won’t lead to the double evaluation.</p>
+
+<p>Please read our Security Bulletin <a
href="https://cwiki.apache.org/confluence/display/WW/S2-061";>S2-061</a> for
more details.</p>
+
+<p>This vulnerability was identified by:</p>
+<ul>
+ <li>Alvaro Munoz - pwntester at github dot com</li>
+ <li>Masato Anzai of Aeye Security Lab, inc.</li>
+</ul>
+
+<p><strong>All developers are strongly advised to perform this
action.</strong></p>
+
+<h4 id="a20201206">06 December 2020 - Struts 2.5.26 General Availability</h4>
+
+<p>The Apache Struts group is pleased to announce that Struts 2.5.26 is
available as a “General Availability”
+release. The GA designation is our highest quality grade.</p>
+
+<p>Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications.
+The framework has been designed to streamline the full development cycle, from
building, to deploying,
+to maintaining applications over time.</p>
+
+<p>Below is a full list of all changes:</p>
+
+<ul>
+ <li>Junit plugin does not push ACTION_MAPPING into the context resulting in
NPE</li>
+ <li>Struts2 StaticParametersInterceptor’s addParametersToContext method is
not working as expected</li>
+</ul>
+
+<blockquote>
+ <p>Please read the <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26";>Version
Notes</a> to find more details about performed
+bug fixes and improvements.</p>
+</blockquote>
+
+<p><strong>All developers are strongly advised to perform this
action.</strong></p>
+
+<p>The 2.5.x series of the Apache Struts framework has a minimum requirement
of the following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 7.</p>
+
+<p>Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list,
+and, if appropriate, file <a
href="https://issues.apache.org/jira/projects/WW/";>a tracking ticket</a>.</p>
+
+<p>You can download this version from our <a
href="download.cgi#struts-ga">download</a> page.</p>
+
+<h4 id="a20200928">28 September 2020 - Struts 2.5.25 General Availability</h4>
+
+<p>The Apache Struts group is pleased to announce that Struts 2.5.25 is
available as a “General Availability”
+release. The GA designation is our highest quality grade.</p>
+
+<p>Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications.
+The framework has been designed to streamline the full development cycle, from
building, to deploying,
+to maintaining applications over time.</p>
+
+<p>Below is a full list of all changes:</p>
+
+<ul>
+ <li>Package Level Properties in Global Results</li>
+ <li>AbstractMatcher adds values to the map passed into replaceParameters</li>
+ <li>Minor bug in single file upload example of the Showcase application</li>
+ <li>Unable to set long pathname variables</li>
+ <li>s:set with empty body</li>
+ <li>AliasInterceptor doesn’t properly handle Parameter.Empty</li>
+ <li>Improve build behaviour on JDK9+</li>
+ <li>Update multiple Struts 2.5.x libraries / Maven build plugin versions</li>
+ <li>Upgrade OSGi to the latest version</li>
+</ul>
+
+<blockquote>
+ <p>Please read the <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.25";>Version
Notes</a> to find more details about performed
+bug fixes and improvements.</p>
+</blockquote>
+
+<p><strong>All developers are strongly advised to perform this
action.</strong></p>
+
+<p>The 2.5.x series of the Apache Struts framework has a minimum requirement
of the following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 7.</p>
+
+<p>Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list,
+and, if appropriate, file <a
href="https://issues.apache.org/jira/projects/WW/";>a tracking ticket</a>.</p>
+
+<p>You can download this version from our <a
href="download.cgi#struts-ga">download</a> page.</p>
+
+<h4 id="a20200813">13 August 2020 - Security Advice: Announcing CVE-2019-0230
(Possible RCE) and CVE-2019-0233 (DoS) security issues</h4>
+
+<p>Two new <a
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletin";>Struts
Security Bulletins</a> have been issued for Struts 2 by the Apache Struts
Security Team:</p>
+
+<ul>
+ <li><a
href="https://cwiki.apache.org/confluence/display/ww/s2-059";>S2-059</a> -
Forced double OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution (CVE-2019-0230)</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/ww/s2-060";>S2-060</a> -
Access permission override causing a Denial of Service when performing a file
upload (CVE-2019-0233)</li>
+</ul>
+
+<p>Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20. The
current version 2.5.22, which was released in November 2019, is not
affected.</p>
+
+<p><a
href="https://cwiki.apache.org/confluence/display/ww/s2-059";>CVE-2019-0230</a>
has been reported by Matthias Kaiser, Apple Information Security.
+By design, Struts 2 allows developers to utilize forced double evaluation for
certain tag attributes.
+When used with unvalidated, user modifiable input, malicious OGNL expressions
may be injected.
+In an ongoing effort, the Struts framework includes mitigations for limiting
the impact of injected expressions, but Struts before 2.5.22 left an attack
vector open which is addressed by this report.
+<strong>However, we continue to urge developers building upon Struts 2 to <a
href="https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions";>not
use <code class="highlighter-rouge">%{...}</code> or <code
class="highlighter-rouge">${...}</code> syntax referencing unvalidated user
modifiable input in tag attributes </a>, since this is the ultimate fix for
this class of vulnerabilities.</strong></p>
+
+<p><a
href="https://cwiki.apache.org/confluence/display/ww/s2-060";>CVE-2019-0233</a>
has been reported by Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
+In Struts before 2.5.22, when a file upload is performed to an Action that
exposes the file with a getter, an attacker may manipulate the request such
that the working copy of the uploaded file or even the container temporary
upload directory may be set to read-only access. As a result, subsequent
actions on the file or file uploads in general will fail with an error.</p>
+
+<p>Both issues are already fixed in Apache Struts <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22";>2.5.22</a>,
which was released in November 2019.</p>
+
+<p><strong>We strongly recommend all users to <a
href="download.cgi#struts-ga">upgrade</a> to Struts 2.5.22, if this has not
been done already.</strong></p>
+
+<p>The Apache Struts Security Team would like to thank the reporters for their
efforts and their practice of responsible disclosure, as well as their help
while investigating the report and coordinating public disclosure.</p>
+
+<p class="pull-right">
+ Skip to: <a href="announce-2019.html">Announcements - 2019</a>
+</p>
+
+<p class="pull-left">
+ <strong>Next:</strong>
+ <a href="kickstart.html">Kickstart FAQ</a>
+</p>
+
+ </section>
+</article>
+
+
+<footer class="container">
+ <div class="col-md-12">
+ Copyright © 2000-2018 <a href="http://www.apache.org/";>The Apache
Software Foundation </a>.
+ All Rights Reserved.
+ </div>
+ <div class="col-md-12">
+ Apache Struts, Struts, Apache, the Apache feather logo, and the Apache
Struts project logos are
+ trademarks of The Apache Software Foundation.
+ </div>
+ <div class="col-md-12">Logo and website design donated by <a
href="https://softwaremill.com/";>SoftwareMill</a>.</div>
+</footer>
+
+<script>!function (d, s, id) {
+ var js, fjs = d.getElementsByTagName(s)[0];
+ if (!d.getElementById(id)) {
+ js = d.createElement(s);
+ js.id = id;
+ js.src = "//platform.twitter.com/widgets.js";
+ fjs.parentNode.insertBefore(js, fjs);
+ }
+}(document, "script", "twitter-wjs");</script>
+<script src="https://apis.google.com/js/platform.js"; async="async"
defer="defer"></script>
+
+<div id="fb-root"></div>
+
+<script>(function (d, s, id) {
+ var js, fjs = d.getElementsByTagName(s)[0];
+ if (d.getElementById(id)) return;
+ js = d.createElement(s);
+ js.id = id;
+ js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
+ fjs.parentNode.insertBefore(js, fjs);
+}(document, 'script', 'facebook-jssdk'));</script>
+
+
+</body>
+</html>
diff --git a/content/index.html b/content/announce-2021.html
similarity index 64%
copy from content/index.html
copy to content/announce-2021.html
index 2d5adae..9eeb643 100644
--- a/content/index.html
+++ b/content/announce-2021.html
@@ -7,11 +7,13 @@
<meta http-equiv="Content-Language" content="en"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
- <title>Welcome to the Apache Struts project</title>
+ <title>Announcements 2021</title>
<link
href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,400italic,600italic,700italic"
rel="stylesheet" type="text/css">
<link
href="//netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css"
rel="stylesheet">
<link href="/css/main.css" rel="stylesheet">
+ <link href="/css/custom.css" rel="stylesheet">
+ <link href="/highlighter/github-theme.css" rel="stylesheet">
<script src="//code.jquery.com/jquery-1.11.0.min.js"></script>
<script type="text/javascript" src="/bootstrap/js/bootstrap.js"></script>
@@ -123,102 +125,91 @@
</header>
-<article class="container index">
- <section>
- <div class="container hero">
- <div class="jumbotron col-md-12">
- <h1>Apache Struts</h1>
- <p>Apache Struts is a free, open-source, MVC framework for creating
elegant,
- modern Java web applications. It favors convention over configuration, is
- extensible using a plugin architecture, and ships with plugins to support
- REST, AJAX and JSON.
- </p>
- <a href="download.cgi#struts2526" class="btn btn-primary btn-large">
- <img src="img/download-icon.svg"> Download
- </a>
- <a href="primer.html" class="btn btn-info btn-large">
- <img src="img/primer-icon.svg"> Technology Primer
- </a>
- </div>
-</div>
-<div class="container important-notes">
- <div class="col-md-12">
- <div class="row">
- <div class="column col-md-4">
- <h2>Apache Struts 2.5.26 GA</h2>
- <p>
- Apache Struts 2.5.26 GA has been released<br/>on 06 December 2020.
- </p>
- Read more in <a href="announce.html#a20201206">Announcement</a> or in
- <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26";>Version
notes</a>
- </div>
- <div class="column col-md-4">
- <h2>Security Advice S2-061 released</h2>
- <p>
- Forced OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution.
- Read more in
- <a href="announce#a20201208">Announcement</a>
- </p>
- </div>
- <div class="column col-md-4">
- <h2>Google's Patch Reward program</h2>
- <p>During <a href="http://www.meetup.com/sfhtml5/";>SFHTML5</a> Google
announced that
- they extend their program to cover the Apache Struts project as
well. Now you can earn
- money preparing patches for us!
- <a href="submitting-patches.html#googles-patch-reward-program">read
more</a>
- </p>
- </div>
- </div>
- <div class="row">
- <div class="column col-md-4">
- <h2>Apache Struts 2.3.x EOL</h2>
- <p>
- The Apache Struts Team informs about discontinuing support for
Struts 2.3.x branch, we recommend migration
- to the latest version of Struts, read more in
- <a href="announce-2019#a20190912">Announcement</a>
- </p>
- </div>
- <div class="column col-md-4">
- <h2>Apache Struts 2.3.37 GA</h2>
- <p>
- It's the latest release of Struts 2.3.x which contains the latest
security fixes,
- released on 30 December 2018.<br/> Read more in <a
href="announce-2019.html#a20181230">Announcement</a> or in
- <a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.37";>Version
notes</a>
- </p>
- </div>
- <div class="column col-md-4">
- <h2>Immediately upgrade commons-fileupload to version 1.3.3</h2>
- <p>
- The Apache Struts Team recommends to immediately upgrade your Struts
2
- based projects to use the latest released version of Commons
- FileUpload library, which is currently 1.3.3.
- <a href="announce-2018#a20180323">Announcement</a>
- </p>
- </div>
- <div class="column col-md-4">
- </div>
- </div>
- </div>
-</div>
-<div class="container contact-channels">
- <div class="col-md-12"><h5>Keep in touch: </h5>
-
- <div class="channels">
- <div class="irc-btn">IRC: <a
href="irc://irc.freenode.net/struts">#struts</a></div>
- <div class="facebook-btn">
- <div data-href="https://www.facebook.com/apachestruts";
data-width="250" data-layout="button_count"
- data-action="like" data-show-faces="false" data-share="true"
class="fb-like"></div>
- </div>
- <div class="gplus-btn">
- <div data-annotation="inline" data-size="medium" data-width="225"
data-href="http://struts.apache.org/";
- class="g-plusone"></div>
- </div>
- <div class="twitter-btn"><a href="https://twitter.com/TheApacheStruts";
data-show-count="false" data-lang="en"
- data-width="240px" data-align="left"
class="twitter-follow-button">Follow
- @TheApacheStruts</a></div>
- </div>
- </div>
-</div>
+<article class="container">
+ <section class="col-md-12">
+ <a class="edit-on-gh"
href="https://github.com/apache/struts-site/edit/master/source/announce-2021.md";
title="Edit this page on GitHub">Edit on GitHub</a>
+
+ <h1 class="no_toc" id="announcements-2021">Announcements 2021</h1>
+
+<ul id="markdown-toc">
+ <li><a href="#a20210219" id="markdown-toc-a20210219">19 February 2021 -
Struts Security Impact Levels</a></li>
+</ul>
+
+<p class="pull-right">
+ Skip to: <a href="announce-2020">Announcements - 2020</a>
+</p>
+
+<h4 id="a20210219">19 February 2021 - Struts Security Impact Levels</h4>
+
+<p>The Apache Struts Security team would like to announce <a
href="https://cwiki.apache.org/confluence/display/WW/Security+Bulletins#SecurityBulletins-Securityimpactlevels";>Security
Impact Levels</a>
+which will be used to rate any future Security Bulletins. We also updated the
current Security Bulletins to match
+the levels. Below is the list of the updated bulletins with a new Maximum
security rating.</p>
+
+<ul>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-060";>S2-060</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-056";>S2-056</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-055";>S2-055</a>
+High -> Important</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-054";>S2-054</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-051";>S2-051</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-049";>S2-049</a>
+High -> Important</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-048";>S2-048</a>
+High -> Important</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-042";>S2-042</a>
+High -> Important</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-040";>S2-040</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-039";>S2-039</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-038";>S2-038</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-037";>S2-037</a>
+High -> Important</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-036";>S2-036</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-033";>S2-033</a>
+High -> Important</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-032";>S2-032</a>
+High -> Important</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-031";>S2-031</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-026";>S2-026</a>
+High -> Important</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-024";>S2-024</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-023";>S2-023</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-022";>S2-022</a>
+Medium -> Moderate</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-021";>S2-021</a>
+High -> Important</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-016";>S2-016</a>
+Highly Critical -> Critical</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-015";>S2-015</a>
+Highly Critical -> Critical</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-014";>S2-014</a>
+Highly Critical -> Critical</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-013";>S2-013</a>
+Highly Critical -> Critical</li>
+ <li><a
href="https://cwiki.apache.org/confluence/display/WW/S2-012";>S2-012</a>
+Moderately Critical -> Important</li>
+</ul>
+
+<p><strong>All developers are strongly advised to read about new Security
Impact Levels.</strong></p>
+
+<p class="pull-right">
+ Skip to: <a href="announce-2020.html">Announcements - 2020</a>
+</p>
+
+<p class="pull-left">
+ <strong>Next:</strong>
+ <a href="kickstart.html">Kickstart FAQ</a>
+</p>
</section>
</article>
diff --git
a/content/core-developers/accessing-application-session-request-objects.html
b/content/core-developers/accessing-application-session-request-objects.html
index 5ee2287..21bf18c 100644
--- a/content/core-developers/accessing-application-session-request-objects.html
+++ b/content/core-developers/accessing-application-session-request-objects.html
@@ -144,16 +144,16 @@
<p><strong>Accessing servlet scopes</strong></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="n">Map</span> <span class="n">attr</span>
<span class="o">=</span> <span class="o">(</span><span
class="n">Map</span><span class="o">)</span> <span
class="n">ActionContext</span><span class="o">.</span><span
class="na">getContext</span><span class="o">().</span><span
class="na">get</span><span class="o">(</span><span class="s">"attr"</span><span
class="o">);</span>
-<span class="n">attr</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span><span class="n">myProp</span><span class="o">);</span>
+<span class="n">attr</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span> <span class="n">myProp</span><span class="o">);</span>
<span class="c1">// Page scope.</span>
<span class="n">Map</span> <span class="n">application</span> <span
class="o">=</span> <span class="o">(</span><span class="n">Map</span><span
class="o">)</span> <span class="n">ActionContext</span><span
class="o">.</span><span class="na">getContext</span><span
class="o">().</span><span class="na">get</span><span class="o">(</span><span
class="s">"application"</span><span class="o">);</span>
-<span class="n">application</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span><span class="n">myProp</span><span class="o">);</span>
+<span class="n">application</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span> <span class="n">myProp</span><span class="o">);</span>
<span class="n">Map</span> <span class="n">session</span> <span
class="o">=</span> <span class="o">(</span><span class="n">Map</span><span
class="o">)</span> <span class="n">ActionContext</span><span
class="o">.</span><span class="na">getContext</span><span
class="o">().</span><span class="na">get</span><span class="o">(</span><span
class="s">"session"</span><span class="o">);</span>
<span class="n">session</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span> <span class="n">myProp</span><span class="o">);</span>
<span class="n">Map</span> <span class="n">request</span> <span
class="o">=</span> <span class="o">(</span><span class="n">Map</span><span
class="o">)</span> <span class="n">ActionContext</span><span
class="o">.</span><span class="na">getContext</span><span
class="o">().</span><span class="na">get</span><span class="o">(</span><span
class="s">"request"</span><span class="o">);</span>
-<span class="n">request</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span><span class="n">myProp</span><span class="o">);</span>
+<span class="n">request</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span> <span class="n">myProp</span><span class="o">);</span>
</code></pre></div></div>
<blockquote>
@@ -174,18 +174,26 @@ is an alternative way to access the request and response
objects, with the same
<h2 id="accessing-from-the-view-jsp-freemarker-etc">Accessing from the view
(JSP, FreeMarker, etc.)</h2>
-<p>Request and session attributes are accessed via OGNL using the <code
class="highlighter-rouge">#session</code> and <code
class="highlighter-rouge">#request</code> stack values.</p>
+<p>Request and session attributes are accessed via OGNL using the <code
class="highlighter-rouge">#session</code> and <code
class="highlighter-rouge">#request</code> stack values.
+Page attributes are accessed via OGNL using the <code
class="highlighter-rouge">#attr</code> stack value, and Application attributes
via
+the <code class="highlighter-rouge">#application</code> stack value.</p>
<p>The <code class="highlighter-rouge">#attr</code> stack value will search
the <code class="highlighter-rouge">javax.servlet.jsp.PageContext</code> for
the specified key. If the <code class="highlighter-rouge">PageContext</code>
-doean’t exist, it will search the request, session, and application scopes, in
that order.</p>
+doesn’t exist, it will search the request, session, and application scopes, in
that order.</p>
-<p><strong>Accessing the Session or Request from a JSP</strong></p>
+<p><strong>Accessing attributes in the Application, Session, Request, or Page
scope from a JSP</strong></p>
-<pre><code class="language-jsp"><s:property value="#session.myId" />
+<pre><code class="language-jsp"><p>Retrieve the attribute (property),
with key myId, from the specified scope:</p>
+
+<s:property value="#application.myId" />
+
+<s:property value="#session.myId" />
<s:property value="#request.myId" />
<s:property value="#attr.myId" />
+
+<p>Reminder: #attr is for Page scope attributes first, but will search
the remaining scopes, in order, seeking a match.</p>
</code></pre>
</section>
diff --git a/content/index.html b/content/index.html
index 2d5adae..ebbea4c 100644
--- a/content/index.html
+++ b/content/index.html
@@ -134,10 +134,10 @@
REST, AJAX and JSON.
</p>
<a href="download.cgi#struts2526" class="btn btn-primary btn-large">
- <img src="img/download-icon.svg"> Download
+ <img src="img/download-icon.svg" alt="Download"> Download
</a>
<a href="primer.html" class="btn btn-info btn-large">
- <img src="img/primer-icon.svg"> Technology Primer
+ <img src="img/primer-icon.svg" alt="Technology Primer"> Technology Primer
</a>
</div>
</div>
@@ -149,7 +149,7 @@
<p>
Apache Struts 2.5.26 GA has been released<br/>on 06 December 2020.
</p>
- Read more in <a href="announce.html#a20201206">Announcement</a> or in
+ Read more in <a href="announce-2020#a20201206">Announcement</a> or in
<a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26";>Version
notes</a>
</div>
<div class="column col-md-4">
@@ -157,7 +157,7 @@
<p>
Forced OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution.
Read more in
- <a href="announce#a20201208">Announcement</a>
+ <a href="announce-2020#a20201208">Announcement</a>
</p>
</div>
<div class="column col-md-4">
@@ -182,7 +182,7 @@
<h2>Apache Struts 2.3.37 GA</h2>
<p>
It's the latest release of Struts 2.3.x which contains the latest
security fixes,
- released on 30 December 2018.<br/> Read more in <a
href="announce-2019.html#a20181230">Announcement</a> or in
+ released on 30 December 2018.<br/> Read more in <a
href="announce-2019#a20181230">Announcement</a> or in
<a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.37";>Version
notes</a>
</p>
</div>
diff --git a/content/tag-developers/set-tag.html
b/content/tag-developers/set-tag.html
index 5b709b2..dcfb1d8 100644
--- a/content/tag-developers/set-tag.html
+++ b/content/tag-developers/set-tag.html
@@ -150,12 +150,13 @@ the body evaluates is set as value for the scoped
variable.</p>
<li><code class="highlighter-rouge">application</code> - the value will be
set in application scope according to servlet spec. using the name as its
key</li>
<li><code class="highlighter-rouge">session</code> - the value will be set
in session scope according to servlet spec. using the name as key</li>
<li><code class="highlighter-rouge">request</code> - the value will be set
in request scope according to servlet spec. using the name as key</li>
- <li><code class="highlighter-rouge">page</code> - the value will be set in
page scope according to servlet spec. using the name as key</li>
- <li><code class="highlighter-rouge">action</code> - the value will be set in
the request scope and Struts’ action context using the name as key</li>
+ <li><code class="highlighter-rouge">page</code> - the value will be set in
page scope according to servlet spec. using the name as key (retrieve via
#attr)</li>
+ <li><code class="highlighter-rouge">action</code> - the value will be set in
the page scope and Struts’ action context using the name as key</li>
</ul>
<blockquote>
- <p><strong>NOTE</strong>: If no scope is specified, it will default to <code
class="highlighter-rouge">action</code> scope.</p>
+ <p><strong>NOTE</strong>: If no scope is specified, it will default to <code
class="highlighter-rouge">action</code> scope. For the <code
class="highlighter-rouge">set</code> tag <strong>specifically</strong>, this
also
+places (sets) the generated value into the <code
class="highlighter-rouge">page</code> scope as well (retrieve via #attr).</p>
</blockquote>
<p>Assigns a value to a variable in a specified scope</p>
diff --git a/content/tag-developers/text-tag.html
b/content/tag-developers/text-tag.html
index 5f16c5b..9ee9672 100644
--- a/content/tag-developers/text-tag.html
+++ b/content/tag-developers/text-tag.html
@@ -218,6 +218,11 @@ If no value is found on the stack, the key of the message
will be written out.</
</tr>
</table>
+<blockquote>
+ <p><strong>NOTE</strong>: When the <code
class="highlighter-rouge">var</code> attribute is used with the <code
class="highlighter-rouge">text</code> tag, the tag’s generated value
<strong>will not</strong> be written out to the
+visible page (it will only be placed into the action scope).</p>
+</blockquote>
+
<h2 id="examples">Examples</h2>
<blockquote>
diff --git a/content/tag-developers/url-tag.html
b/content/tag-developers/url-tag.html
index 6587c71..b69efa7 100644
--- a/content/tag-developers/url-tag.html
+++ b/content/tag-developers/url-tag.html
@@ -321,6 +321,11 @@ because the parameter defined in the <code
class="highlighter-rouge">param</code
</tr>
</table>
+<blockquote>
+ <p><strong>NOTE</strong>: When the <code
class="highlighter-rouge">var</code> attribute is used with the <code
class="highlighter-rouge">url</code> tag, the tag’s generated URL value will be
placed into the request scope
+<strong>in addition to</strong> the action scope.</p>
+</blockquote>
+
<h2 id="examples">Examples</h2>
<pre><code class="language-jsp"><!-- Example 1 -->
![https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"](https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"){kind=link}