[
https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13730425#comment-13730425
]
Lukasz Lenart edited comment on WW-4171 at 8/6/13 6:25 AM:
-----------------------------------------------------------
I think you a bit demonise here. The first parameter isn't evaluated as an OGNL
expression - is just a key used to look up in a resource bundle:
{code:java|title=LocalizedTextUtil, line 683}
String message = TextParseUtil.translateVariables(bundle.getString(key),
valueStack);
{code}
and just the value from resource bundle is evaluated as an expression which is
rather obvious if you have something like this in a properties file
{code:xml|title=package.properties}
requiredstring = ${getText(fieldName)} is required.
{code}
http://struts.apache.org/development/2.x/docs/localizing-output.html
I have added a note about evaluation to the docs
https://cwiki.apache.org/confluence/display/WW/Localization#Localization-Examples
was (Author: lukaszlenart):
I think you a bit demonise here. The first parameter isn't evaluated as an
OGNL expression - is just a key used to look up in a resource bundle:
{code:java|title=LocalizedTextUtil, line 683}
String message = TextParseUtil.translateVariables(bundle.getString(key),
valueStack);
{code}
and just the value from resource bundle is evaluated as an expression which is
rather obvious if you have something like this in a properties file
{code|title=package.properties}
requiredstring = ${getText(fieldName)} is required.
{code}
http://struts.apache.org/development/2.x/docs/localizing-output.html
I have added a note about evaluation to the docs
https://cwiki.apache.org/confluence/display/WW/Localization#Localization-Examples
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
> Key: WW-4171
> URL: https://issues.apache.org/jira/browse/WW-4171
> Project: Struts 2
> Issue Type: Bug
> Components: Documentation
> Affects Versions: 2.3.15.1
> Reporter: Coverity Security Research Laboratory
> Labels: security
>
> The methods below evaluate OGNL as their first parameter. However they are
> not documented as evaluating OGNL. We have observed this occurring in one
> project and are contacting the affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None
> of these methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as
> evaluating OGNL since this may come as a surprise to some developers.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
