2016-11-11 11:21 GMT+01:00 Greg Huber <gregh3...@gmail.com>:
>> What browser do you use?
>
> firefox 45.4.0 on centos
Yeah... on Chrome it doesn't work that's why I wasn't able to reprodyce :)
>><s:text/> should only be used to fetch messages from properties files
>>like you did, exactly what description says "Render a I18n text
>>message". Using it to something else is a bad idea.
>>I can escape the returning value, this will block JavaScript
>>injections like you did.
>
> Maybe worth only allowing <s:text/> from .properties, as its says in the
> description?? ...For easier maintenance and escaping might slow it down
> even more!!
Hm... good suggestion, escaping can slow down the whole processing
also it's a case with defaultMessage, I mean passed "name" by default
is set as a defaultMessage so
<s:text name="<script>alert('ok')</script>" />
will try to find a property with key "<script>alert('ok')</script>"
but it will fail and fallback to default message which is
"<script>alert('ok')</script>" - so we must defend the defaultMessage
plus disable evaluating it against a ValueStack.
Thanks!
https://issues.apache.org/jira/browse/WW-4711
https://issues.apache.org/jira/browse/WW-4712
> When I started using struts I made the mistake of using <s:text/>
> incorrectly where I should have used <s:properties/> as it works. Also I
> had no idea that these hidden #parameters etc exist.
Maybe we should've thought about renaming this tag
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
