[jira] [Commented] (WW-4771) minor typos in confluence page "security.html"

Wed, 29 Mar 2017 04:43:21 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-4771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15946964#comment-15946964
 ] 

Lukasz Lenart commented on WW-4771:
-----------------------------------

I think it's ok 
https://cwiki.apache.org/confluence/pages/viewpreviousversions.action?pageId=34024409

I must export the pages and put them on production - a bit manually process ;-)

> minor typos in confluence page "security.html"
> ----------------------------------------------
>
>                 Key: WW-4771
>                 URL: https://issues.apache.org/jira/browse/WW-4771
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Documentation
>            Reporter: Stefaan Dutry
>            Priority: Trivial
>              Labels: documentation
>
> * page : [https://struts.apache.org/docs/security.html]
> * spotted typos:
> ** inside a title
> {code:none|title=current}
> Do not defined setters when not needed
> {code}
> {code:none|title=fixed}
> Do not define setters when not needed
> {code}
> ** inside text under title {{Do not use incoming values as an input for 
> localisation logic}}
> {code:none|title=current}
> All TextProvider's getText(...) methods (e.g in ActionSupport) performs 
> evaluation of parameters included in a message to properly localize the text. 
> This means using incoming request parameters with getText(...) methods is 
> potentially dangerous and should be avoided. Se example below, assuming that 
> an action implements getter and setter for property message, the below code 
> allows inject an OGNL expression:
> {code}
> {code:none|title=fixed}
> All TextProvider's getText(...) methods (e.g in ActionSupport) perform 
> evaluation of parameters included in a message to properly localize the text. 
> This means using incoming request parameters with getText(...) methods is 
> potentially dangerous and should be avoided. See example below, assuming that 
> an action implements getter and setter for property message, the below code 
> allows inject an OGNL expression:
> {code}
> ** inside text under title {{Accepted / Excluded patterns}}
> {code:none|title=current}
> ...to check if param can accepted or must be excluded.
> {code}
> {code:none|title=fixed}
> ...to check if param can be accepted or must be excluded.
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to