Re: Referencing request parameters in struts tags.

Lukasz Lenart Wed, 16 Nov 2016 04:24:23 -0800

2016-11-16 13:12 GMT+01:00 Greg Huber <[email protected]>:
> Ah, was still testing. See last note, guess that's just java, hmm.
>
>
> ....To block both
>
> ${parameters.get('error')}
> ${parameters.get('error').value}
>
> we need to escape the getValue() method rather than the toString()
>
> @Override
>         public String getValue() {
>             String[] values = toStringArray();
>             return (values != null && values.length > 0) ?
> StringEscapeUtils.escapeHtml4(values[0]) : null;
>         }


but this can harm users, in most cases you want to get a raw value of
a parameter because you are accessing #parameters directly.
HttpServletRequest#getParameters() doesn't perform escaping so the
same is here.

> ${parameters.get('error').getClass().getClassLoader()}
>
> this is a scary one??  Returns the 
> org.apache.catalina.loader.WebappClassLoader
> ....ouch

we were there with OGNL and now UEL is going the same way ;-)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: Referencing request parameters in struts tags.

Reply via email to