> <s:text name="<script>alert('ok')</script>" />
>In the latest build? Because is see something like this in source page
>Test: <script>alert(\'ok\')<\/script>
OK, is escaped.
<script>alert(\'ok\')<\/script>
##
> script.test=<script type="text/javascript">alert("ok");</script>
> <s:text name="script.test"/>
script.test is in my .properties file, but as we are not escaping I would
expect this to pop.
My tests:
<s:if test="#parameters.contains('error')">
<ul>
<li>
1<s:text name="#parameters.get('error').value"/>
</li>
<li>
2 <s:text name="#parameters.error"/>
</li>
<li>
3 <s:property value="#parameters.error"/>
</li>
<li>
<s:text name="getParameter('error')" />
</li>
<li>
4 <s:property
value="%{#parameters.get('error').value}"/>
</li>
<li>
5 <s:text name="<script>alert('ok')</script>" />
</li>
<li>
6 <s:text name="script.test"/>
</li>
</ul>
</s:if>
- 1#parameters.get(\'error\').value
- 2 #parameters.error
- 3 <script type="text/javascript">alert("ok");</script>
- getParameter(\'error\')
- 4
- 5 <script>alert(\'ok\')<\/script>
- 6
#6 is the only one now that pops which is correct.
On 12 November 2016 at 08:24, Lukasz Lenart <[email protected]> wrote:
> 2016-11-11 12:23 GMT+01:00 Greg Huber <[email protected]>:
> >> <s:text name="<script>alert('ok')</script>" />
> >
> > ....this pops!
>
> In the latest build? Because is see something like this in source page
>
> Test: <script>alert(\'ok\')<\/script>
>
> >> Maybe we should've thought about renaming this tag
> >
> >
> > Think we are OK here as it does say what it does, maybe could add more
> info
> > in the hover if we are going to change it. Currently is says "Render a
> > I18n text message"
> >
> > ##
> >
> > <s:text name="script.test"/>
> > script.test=<script type="text/javascript">alert("ok");</script>
>
> I assume you meant that "script.test=<script
> type="text/javascript">alert("ok");</script>" is passed a request
> parameter? So again are using the latest build because I cannot
> confirm this.
>
> > ..but do have html in the ApplicationResources.properties file so
> sometimes
> > I want it rendered as html eg <em>Important</em> but any
> <script></script>
> > could be a escaped when its loaded from the file initially? Its
> difficult
> > to say how far to take this!
>
> To be clear, this won't affect your messages from .properties files,
> so if you are using html in there you will get that html on your page,
> it won't be escaped. Right now, after disabling searching default
> message in ValueStack, even escaping is not needed.
>
> > Think reducing the scope of <s:text> is worth doing, its easy to convert
> to
> > <s:property> and also reduces the duplication / maintenance also.
>
> Yes, but both these tags have different use cases, so I would leave
> them just improve.
>
>
> Regards
> --
> Ćukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
