[jira] [Commented] (WW-4171) getText methods are not documented as evaluating OGNL

Mon, 05 Aug 2013 23:26:08 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13730425#comment-13730425
 ] 

Lukasz Lenart commented on WW-4171:
-----------------------------------

I think you a bit demonise here. The first parameter isn't evaluated as an OGNL 
expression - is just a key used to look up in a resource bundle:

{code:java|title=LocalizedTextUtil, line 683}
String message = TextParseUtil.translateVariables(bundle.getString(key), 
valueStack);
{code}

and just the value from resource bundle is evaluated as an expression which is 
rather obvious if you have something like this in a properties file

{code|title=package.properties}
requiredstring = ${getText(fieldName)} is required.
{code}

http://struts.apache.org/development/2.x/docs/localizing-output.html

I have added a note about evaluation to the docs

https://cwiki.apache.org/confluence/display/WW/Localization#Localization-Examples
                
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
>                 Key: WW-4171
>                 URL: https://issues.apache.org/jira/browse/WW-4171
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 2.3.15.1
>            Reporter: Coverity Security Research Laboratory
>              Labels: security
>
> The methods below evaluate OGNL as their first parameter. However they are 
> not documented as evaluating OGNL. We have observed this occurring in one 
> project and are contacting the affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None 
> of these methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as 
> evaluating OGNL since this may come as a surprise to some developers.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to