2015-09-22 14:16 GMT+02:00 Christoph Nenning <christoph.nenn...@lex-com.net>:
>> From: Greg Huber <gregh3...@gmail.com>
>> To: Struts Developers List <dev@struts.apache.org>,
>> Date: 17.09.2015 09:37
>> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>>
>> I was testing using:
>>
>> <s:submit value="%{getText('button.save')}" action="edit!getBean().name"
> />
>>
>> and it returned the value in the name field on the bean.
>
> I don't know how <s:submit action="..." /> is implemented but I guess it
> does not use the DMI code path and hence is not secured by strict DMI. It
> surely would make sense to apply the newly configured allowed-methods to
> other code paths as well. How many code paths do we have?

It's a tag so it's internal staff which can be used by developer to
fulfil his special requirements. And this "action" attribute as any
other is evaluated against a ValueStack, so it's very hard to predict
what was the developer's intention. Please remember that tags are used
to generate HTML, not to control framework's behaviour. And this piece
of code will be returned to a browser and after user submits it back
this will be governed by Strict DMI.

Also when you want to use DMI here you should use "method" attribute:
<s:submit value="%{getText('button.save')}" action="edit"
method="getBean().name"/>


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to