More housekeeping, the id on the form tag never supported %{..} on the
action attribute. ie action="%{#mainAction}!saveDraft"
On 10/04/2023 20:37, Yasser Zamani wrote:
Hi there, please see inline...
On 4/3/2023 11:18 AM, Lukasz Lenart wrote:
The change has been introduced here [1] and the problem is that it
replaces any non-alphanumeric character with "_". Also it works on an
unevaluated version of the "name" attribute (in case if the "id"
attribute is not defined). I think this is a bug and I'm not sure why
the "escape" method has been changed in case of fixing double
evaluations (its main purpose was JavaScript-friendliness)
Because it was also reported in same report by our last security
report. It's required and is a common practice to avoid XSS.
If some plugin has a problem with it, then it also need to be fixed
(i.e. replace any non-alpha with _) because it's only for Struts
internal usage and users shouldn't depend on Struts internal behavior.
Best Regards,
Yasser
[1]
https://github.com/apache/struts/pull/496/files#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669caR897
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
sob., 1 kwi 2023 o 12:43 Greg Huber <gregh3...@gmail.com> napisał(a):
Maybe a user question (sorry)
Using action like this : action="%{#mainAction}!saveDraft"/> struts
seems to get the "id" wrong? ...but the "name" correct.
eg:
<s:set var="mainAction">entryEdit</s:set>
<s:submit cssClass="btn btn-warning"
value="%{getText('weblogEdit.save')}"
action="%{#mainAction}!saveDraft"/>
renders:
<input type="submit" value="Save as Draft"
id="entry____mainAction__saveDraft" name="action:entryAdd!saveDraft"
class="btn btn-warning">
Should be
<input type="submit" value="Save as Draft"
id="entry_entryAdd_saveDraft"
name="action:entryAdd!saveDraft" class="btn btn-warning">
#####
If I try it on my app it does the same thing
<form name="myConfig" id="myConfig" action="/app/myConfig.action"
method="post">
<s:set var="myConfigzzzzz" value="'myConfig'" />
<s:submit value="%{getText('button.save')}" action="%{myConfigz}!save"
accesskey="s" />
</form>
renders:
<input name="action:myConfig!save" type="submit" value="Save"
id="myConfig___myConfigzzzzz__save" accesskey="s">
should be
<input name="action:myConfig!save" type="submit" value="Save"
id="myConfig_myConfig_save" accesskey="s">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
