> >> From: Greg Huber <gregh3...@gmail.com> > >> To: Struts Developers List <dev@struts.apache.org>, > >> Date: 17.09.2015 09:37 > >> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > >> > >> I was testing using: > >> > >> <s:submit value="%{getText('button.save')}" action="edit!getBean().name" > > /> > >> > >> and it returned the value in the name field on the bean. > > > > I don't know how <s:submit action="..." /> is implemented but I guess it > > does not use the DMI code path and hence is not secured by strict DMI. It > > surely would make sense to apply the newly configured allowed-methods to > > other code paths as well. How many code paths do we have? > > It's a tag so it's internal staff which can be used by developer to > fulfil his special requirements. And this "action" attribute as any > other is evaluated against a ValueStack, so it's very hard to predict > what was the developer's intention. Please remember that tags are used > to generate HTML, not to control framework's behaviour. And this piece > of code will be returned to a browser and after user submits it back > this will be governed by Strict DMI. > > Also when you want to use DMI here you should use "method" attribute: > <s:submit value="%{getText('button.save')}" action="edit" > method="getBean().name"/> > >
I was wondering why the method was not blocked in Greg's sample. I tried to reproduce his case based on Ćukasz' sample app. But no luck. With <s:submit action="" /> the framework never invoked the action specified there. It was always the form-action and it's execute() method. Regards, Christoph This Email was scanned by Sophos Anti Virus