2016-11-02 9:19 GMT+01:00 Lukasz Lenart <lukaszlen...@apache.org>:
> 2016-11-02 9:12 GMT+01:00 Greg Huber <gregh3...@gmail.com>:
>> Looking at this:
>>
>> <s:if test="#parameters.contains('error')">
>> <ul><li>
>> <s:text name="#parameters.get('error').value"/>
>> </li></ul>
>> </s:if>
>>
>> and if I use :
>>
>> login.action?error=<script type="text/javascript">alert("ok1");</script>
>>
>> I get a js alert box popup.
>>
>> Should it be able to popup the alert box? Thought this kind of script
>> should be escaped.
>
> Yeah, that's why calling directly .value in your scriplet isn't a good
> practise and I want to add a dedicated converter/accessor for
> HttpParameters to avoid such situation.
Small progress
These don't work as access to .value is not allowed
Test: <s:property value="%{#parameters.message.value}"/>
Test: <s:property value="%{#parameters.get('message').value}"/>
Test: <s:text name="%{#parameters.message.value}"/>
Test: <s:text name="%{#parameters.get('message').value}"/>
These work and are safe
Test: <s:property value="%{#parameters.message}"/>
Test: <s:text name="%{#parameters.message}"/>
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
