2015-09-22 14:16 GMT+02:00 Christoph Nenning <christoph.nenn...@lex-com.net>: >> From: Greg Huber <gregh3...@gmail.com> >> To: Struts Developers List <dev@struts.apache.org>, >> Date: 17.09.2015 09:37 >> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI >> >> I was testing using: >> >> <s:submit value="%{getText('button.save')}" action="edit!getBean().name" > /> >> >> and it returned the value in the name field on the bean. > > I don't know how <s:submit action="..." /> is implemented but I guess it > does not use the DMI code path and hence is not secured by strict DMI. It > surely would make sense to apply the newly configured allowed-methods to > other code paths as well. How many code paths do we have?
It's a tag so it's internal staff which can be used by developer to fulfil his special requirements. And this "action" attribute as any other is evaluated against a ValueStack, so it's very hard to predict what was the developer's intention. Please remember that tags are used to generate HTML, not to control framework's behaviour. And this piece of code will be returned to a browser and after user submits it back this will be governed by Strict DMI. Also when you want to use DMI here you should use "method" attribute: <s:submit value="%{getText('button.save')}" action="edit" method="getBean().name"/> Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org