Sorry I didn't get what the problem exactly is.
1. Was your app depended to Struts internal behavior of id generation
and so your app is broken now?
2. Or no, Struts itself is broken now by my change?
On 4/11/2023 10:16 AM, Greg Huber wrote:
More housekeeping, the id on the form tag never supported %{..} on the
action attribute. ie action="%{#mainAction}!saveDraft"
On 10/04/2023 20:37, Yasser Zamani wrote:
Hi there, please see inline...
On 4/3/2023 11:18 AM, Lukasz Lenart wrote:
The change has been introduced here [1] and the problem is that it
replaces any non-alphanumeric character with "_". Also it works on an
unevaluated version of the "name" attribute (in case if the "id"
attribute is not defined). I think this is a bug and I'm not sure why
the "escape" method has been changed in case of fixing double
evaluations (its main purpose was JavaScript-friendliness)
Because it was also reported in same report by our last security
report. It's required and is a common practice to avoid XSS.
If some plugin has a problem with it, then it also need to be fixed
(i.e. replace any non-alpha with _) because it's only for Struts
internal usage and users shouldn't depend on Struts internal behavior.
Best Regards,
Yasser
[1]
https://github.com/apache/struts/pull/496/files#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669caR897
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
sob., 1 kwi 2023 o 12:43 Greg Huber <gregh3...@gmail.com> napisał(a):
Maybe a user question (sorry)
Using action like this : action="%{#mainAction}!saveDraft"/> struts
seems to get the "id" wrong? ...but the "name" correct.
eg:
<s:set var="mainAction">entryEdit</s:set>
<s:submit cssClass="btn btn-warning"
value="%{getText('weblogEdit.save')}"
action="%{#mainAction}!saveDraft"/>
renders:
<input type="submit" value="Save as Draft"
id="entry____mainAction__saveDraft" name="action:entryAdd!saveDraft"
class="btn btn-warning">
Should be
<input type="submit" value="Save as Draft"
id="entry_entryAdd_saveDraft"
name="action:entryAdd!saveDraft" class="btn btn-warning">
#####
If I try it on my app it does the same thing
<form name="myConfig" id="myConfig" action="/app/myConfig.action"
method="post">
<s:set var="myConfigzzzzz" value="'myConfig'" />
<s:submit value="%{getText('button.save')}" action="%{myConfigz}!save"
accesskey="s" />
</form>
renders:
<input name="action:myConfig!save" type="submit" value="Save"
id="myConfig___myConfigzzzzz__save" accesskey="s">
should be
<input name="action:myConfig!save" type="submit" value="Save"
id="myConfig_myConfig_save" accesskey="s">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
