2016-11-16 13:12 GMT+01:00 Greg Huber <gregh3...@gmail.com>:
> Ah, was still testing. See last note, guess that's just java, hmm.
>
>
> ....To block both
>
> ${parameters.get('error')}
> ${parameters.get('error').value}
>
> we need to escape the getValue() method rather than the toString()
>
> @Override
> public String getValue() {
> String[] values = toStringArray();
> return (values != null && values.length > 0) ?
> StringEscapeUtils.escapeHtml4(values[0]) : null;
> }
but this can harm users, in most cases you want to get a raw value of
a parameter because you are accessing #parameters directly.
HttpServletRequest#getParameters() doesn't perform escaping so the
same is here.
> ${parameters.get('error').getClass().getClassLoader()}
>
> this is a scary one?? Returns the
> org.apache.catalina.loader.WebappClassLoader
> ....ouch
we were there with OGNL and now UEL is going the same way ;-)
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
