> >> From: Greg Huber <gregh3...@gmail.com>
> >> To: Struts Developers List <dev@struts.apache.org>,
> >> Date: 17.09.2015 09:37
> >> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
> >>
> >> I was testing using:
> >>
> >> <s:submit value="%{getText('button.save')}" 
action="edit!getBean().name"
> > />
> >>
> >> and it returned the value in the name field on the bean.
> >
> > I don't know how <s:submit action="..." /> is implemented but I guess 
it
> > does not use the DMI code path and hence is not secured by strict DMI. 
It
> > surely would make sense to apply the newly configured allowed-methods 
to
> > other code paths as well. How many code paths do we have?
> 
> It's a tag so it's internal staff which can be used by developer to
> fulfil his special requirements. And this "action" attribute as any
> other is evaluated against a ValueStack, so it's very hard to predict
> what was the developer's intention. Please remember that tags are used
> to generate HTML, not to control framework's behaviour. And this piece
> of code will be returned to a browser and after user submits it back
> this will be governed by Strict DMI.
> 
> Also when you want to use DMI here you should use "method" attribute:
> <s:submit value="%{getText('button.save')}" action="edit"
> method="getBean().name"/>
> 
> 

I was wondering why the method was not blocked in Greg's sample. I tried 
to reproduce his case based on Ɓukasz' sample app. But no luck.

With <s:submit action="" /> the framework never invoked the action 
specified there. It was always the form-action and it's execute() method.


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Reply via email to