Thank you Greg for your confirmation!
So it's not a error or bug or wrong. Struts internal mechanism has been changed
owing to security reasons. Please update the app accordingly and replace the
id. Or better, find and click on it in some other way than id, to be completely
independent from Struts internal behavior.
Best,
Yasser.
________________________________________
From: Greg Huber <gregh3...@gmail.com>
Sent: Saturday, April 15, 2023 3:08 PM
To: dev@struts.apache.org
Subject: Re: looking at roller upgrade again
I think it was always wrong as the test is checking for :
entry_%{#mainAction}!publish
clickById("entry_%{#mainAction}!publish")
On 14/04/2023 19:17, Yasser Zamani wrote:
> Thank you for the explanation Greg. Yes I agree that previously it was
> looking better. Currently am wondering how previous Struts was
> generating the id from an evaluated name! Because as you see below,
> Struts is and was keeping name property unchanged via introducing a
> local var named name:
>
> String name = findString(this.name); // previous version
> String translatedName = findString(this.name); // current version
>
> You see. I just renamed local var name to translatedName to not
> confuse name with this.name. So am wondering how _tmp_id =
> ...escape(name)...; uses an evaluated name in previous versions!
>
> Regards.
>
> On 4/12/2023 7:13 PM, Greg Huber wrote:
>> There is nothing wrong with struts.
>>
>> There is a selenium test in roller that checks on the id
>>
>> clickById("entry_%{#mainAction}!publish");
>>
>> it now has:
>> entry____mainAction__publish
>>
>> ie it escapes %{#}! with spaces.
>>
>> To match other tags, it should evaluate %{#mainAction}
>>
>> ie using the form below:
>>
>> <form id="entry">
>> <s:set var="mainAction">entryEdit</s:set>
>> <s:submit action="%{#mainAction}!saveDraft"/>
>> </form>
>>
>> entry_entryEdit_publish
>>
>> Whether this is is needed or not is debatable, although it looks better.
>>
>> But, it is just as easy to change the test to be:
>> entry____mainAction__publish.
>>
>>
>> On Wed, 12 Apr 2023 at 14:27, Yasser Zamani <yasserzam...@apache.org>
>> wrote:
>>
>>> Sorry I didn't get what the problem exactly is.
>>>
>>> 1. Was your app depended to Struts internal behavior of id generation
>>> and so your app is broken now?
>>>
>>> 2. Or no, Struts itself is broken now by my change?
>>>
>>>
>>> On 4/11/2023 10:16 AM, Greg Huber wrote:
>>>> More housekeeping, the id on the form tag never supported %{..} on the
>>>> action attribute. ie action="%{#mainAction}!saveDraft"
>>>>
>>>> On 10/04/2023 20:37, Yasser Zamani wrote:
>>>>> Hi there, please see inline...
>>>>>
>>>>> On 4/3/2023 11:18 AM, Lukasz Lenart wrote:
>>>>>> The change has been introduced here [1] and the problem is that it
>>>>>> replaces any non-alphanumeric character with "_". Also it works
>>>>>> on an
>>>>>> unevaluated version of the "name" attribute (in case if the "id"
>>>>>> attribute is not defined). I think this is a bug and I'm not sure
>>>>>> why
>>>>>> the "escape" method has been changed in case of fixing double
>>>>>> evaluations (its main purpose was JavaScript-friendliness)
>>>>>
>>>>> Because it was also reported in same report by our last security
>>>>> report. It's required and is a common practice to avoid XSS.
>>>>>
>>>>> If some plugin has a problem with it, then it also need to be fixed
>>>>> (i.e. replace any non-alpha with _) because it's only for Struts
>>>>> internal usage and users shouldn't depend on Struts internal
>>>>> behavior.
>>>>>
>>>>> Best Regards,
>>>>> Yasser
>>>>>
>>>>>>
>>>>>> [1]
>>>>>>
>>> https://github.com/apache/struts/pull/496/files#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669caR897
>>>
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>> --
>>>>>> Łukasz
>>>>>> + 48 606 323 122 http://www.lenart.org.pl/
>>>>>>
>>>>>> sob., 1 kwi 2023 o 12:43 Greg Huber <gregh3...@gmail.com>
>>>>>> napisał(a):
>>>>>>>
>>>>>>> Maybe a user question (sorry)
>>>>>>>
>>>>>>> Using action like this : action="%{#mainAction}!saveDraft"/> struts
>>>>>>> seems to get the "id" wrong? ...but the "name" correct.
>>>>>>>
>>>>>>> eg:
>>>>>>>
>>>>>>> <s:set var="mainAction">entryEdit</s:set>
>>>>>>>
>>>>>>> <s:submit cssClass="btn btn-warning"
>>>>>>> value="%{getText('weblogEdit.save')}"
>>>>>>> action="%{#mainAction}!saveDraft"/>
>>>>>>>
>>>>>>> renders:
>>>>>>>
>>>>>>> <input type="submit" value="Save as Draft"
>>>>>>> id="entry____mainAction__saveDraft"
>>>>>>> name="action:entryAdd!saveDraft"
>>>>>>> class="btn btn-warning">
>>>>>>>
>>>>>>>
>>>>>>> Should be
>>>>>>>
>>>>>>> <input type="submit" value="Save as Draft"
>>>>>>> id="entry_entryAdd_saveDraft"
>>>>>>> name="action:entryAdd!saveDraft" class="btn btn-warning">
>>>>>>>
>>>>>>>
>>>>>>> #####
>>>>>>>
>>>>>>> If I try it on my app it does the same thing
>>>>>>>
>>>>>>> <form name="myConfig" id="myConfig" action="/app/myConfig.action"
>>>>>>> method="post">
>>>>>>>
>>>>>>> <s:set var="myConfigzzzzz" value="'myConfig'" />
>>>>>>> <s:submit value="%{getText('button.save')}"
>>>>>>> action="%{myConfigz}!save"
>>>>>>> accesskey="s" />
>>>>>>>
>>>>>>> </form>
>>>>>>>
>>>>>>> renders:
>>>>>>>
>>>>>>> <input name="action:myConfig!save" type="submit" value="Save"
>>>>>>> id="myConfig___myConfigzzzzz__save" accesskey="s">
>>>>>>>
>>>>>>>
>>>>>>> should be
>>>>>>>
>>>>>>> <input name="action:myConfig!save" type="submit" value="Save"
>>>>>>> id="myConfig_myConfig_save" accesskey="s">
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>>
>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>>>>>>> For additional commands, e-mail: dev-h...@struts.apache.org
>>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>>
>>>>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>>>>>> For additional commands, e-mail: dev-h...@struts.apache.org
>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>>>>> For additional commands, e-mail: dev-h...@struts.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>>>> For additional commands, e-mail: dev-h...@struts.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>>> For additional commands, e-mail: dev-h...@struts.apache.org
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
