Pushed changes to the repo, you can test with the latest SNAPSHOT version
2016-11-02 10:28 GMT+01:00 Lukasz Lenart <lukaszlen...@apache.org>:
> 2016-11-02 9:19 GMT+01:00 Lukasz Lenart <lukaszlen...@apache.org>:
>> 2016-11-02 9:12 GMT+01:00 Greg Huber <gregh3...@gmail.com>:
>>> Looking at this:
>>>
>>> <s:if test="#parameters.contains('error')">
>>> <ul><li>
>>> <s:text name="#parameters.get('error').value"/>
>>> </li></ul>
>>> </s:if>
>>>
>>> and if I use :
>>>
>>> login.action?error=<script type="text/javascript">alert("ok1");</script>
>>>
>>> I get a js alert box popup.
>>>
>>> Should it be able to popup the alert box? Thought this kind of script
>>> should be escaped.
>>
>> Yeah, that's why calling directly .value in your scriplet isn't a good
>> practise and I want to add a dedicated converter/accessor for
>> HttpParameters to avoid such situation.
>
> Small progress
>
> These don't work as access to .value is not allowed
> Test: <s:property value="%{#parameters.message.value}"/>
> Test: <s:property value="%{#parameters.get('message').value}"/>
> Test: <s:text name="%{#parameters.message.value}"/>
> Test: <s:text name="%{#parameters.get('message').value}"/>
>
> These work and are safe
> Test: <s:property value="%{#parameters.message}"/>
> Test: <s:text name="%{#parameters.message}"/>
>
>
> Regards
> --
> Ćukasz
> + 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
