Stefaan Dutry created WW-4771:
---------------------------------
Summary: minor typos in confluence page "security.html"
Key: WW-4771
URL: https://issues.apache.org/jira/browse/WW-4771
Project: Struts 2
Issue Type: Improvement
Components: Documentation
Reporter: Stefaan Dutry
Priority: Trivial
* page : [https://struts.apache.org/docs/security.html]
* spotted typos:
** inside a title
{code:none|title=current}
Do not defined setters when not needed
{code}
{code:none|title=fixed}
Do not define setters when not needed
{code}
** inside text under title {{Do not use incoming values as an input for
localisation logic}}
{code:none|title=current}
All TextProvider's getText(...) methods (e.g in ActionSupport) performs
evaluation of parameters included in a message to properly localize the text.
This means using incoming request parameters with getText(...) methods is
potentially dangerous and should be avoided. Se example below, assuming that an
action implements getter and setter for property message, the below code allows
inject an OGNL expression:
{code}
{code:none|title=fixed}
All TextProvider's getText(...) methods (e.g in ActionSupport) perform
evaluation of parameters included in a message to properly localize the text.
This means using incoming request parameters with getText(...) methods is
potentially dangerous and should be avoided. See example below, assuming that
an action implements getter and setter for property message, the below code
allows inject an OGNL expression:
{code}
** inside text under title {{Accepted / Excluded patterns}}
{code:none|title=current}
...to check if param can accepted or must be excluded.
{code}
{code:none|title=fixed}
...to check if param can be accepted or must be excluded.
{code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
