[
https://issues.apache.org/jira/browse/WW-5117?focusedWorklogId=708918&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-708918
]
ASF GitHub Bot logged work on WW-5117:
--------------------------------------
Author: ASF GitHub Bot
Created on: 14/Jan/22 07:59
Start Date: 14/Jan/22 07:59
Worklog Time Spent: 10m
Work Description: yasserzamani commented on a change in pull request #525:
URL: https://github.com/apache/struts/pull/525#discussion_r784630914
##########
File path: core/src/test/java/org/apache/struts2/views/jsp/ui/TextfieldTest.java
##########
@@ -346,7 +346,7 @@ public void testSimple_recursionTest() throws Exception {
tag.setName("myname");
tag.setValue("%{foo}");
tag.setSize("10");
- tag.setDynamicAttribute(null, "anotherAttr", "%{foo}");
+ tag.setDynamicAttribute(null, "anotherAttr", "another_%{foo}");
Review comment:
Thanks for clarification! Just wanted to note and clarify it. So we can
go ahead :)
p.s. however I think it's a good practice to not touch current tests and
just add tests, just for more confident that changes aren't breaking previous
assertions. e.g. in this case I think we can simply add a new attr
**anotherAttr2**:
```tag.setDynamicAttribute(null, "anotherAttr2", "another_%{foo}");```
and add expected attr to the current expected file. I see your point that
dynAttr are normally `static_text_%{variable}` but this test is just a special
not normal case test which assumes that attacker had been successful to inject
such value.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 708918)
Time Spent: 7h (was: 6h 50m)
> %{id} evaluates different for data-* and value attribute
> --------------------------------------------------------
>
> Key: WW-5117
> URL: https://issues.apache.org/jira/browse/WW-5117
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.5.26
> Reporter: Jonas Marczona
> Assignee: Lukasz Lenart
> Priority: Major
> Fix For: 2.5.29, 2.6
>
> Time Spent: 7h
> Remaining Estimate: 0h
>
> {{%\{id\}}} evaluates for "data-*" attributes in a different way than for the
> "value" attribute.
> in a very simple context where I have only one getter:
> {code}
> public Long getId() {
> return 27357L;
> }
> {code}
> The following two usages of "id" in one tag in a jsp evaluates in different
> ways:
> JSP:
> {noformat}
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <s:hidden name="first" data-wuffmiauww="%{id}" id="einszwei" value="%{id}"/>
> <s:hidden name="second" data-wuffmiauww="%{id}" value="%{id}"/>
> {noformat}
> Result:
> {noformat}
> <input type="hidden" name="first" value="27357" id="einszwei"
> data-wuffmiauww="einszwei">
> <input type="hidden" name="second" value="27357" data-wuffmiauww>
> {noformat}
> I expect the Id of my getter - for both cases.
> The value for {{data-wuffmiauww}} is wrong.
> With struts2 version 2.5.20 the result was correct:
> {noformat}
> <input type="hidden" name="first" value="27357" id="einszwei"
> data-wuffmiauww="27357">
> <input type="hidden" name="second" value="27357" data-wuffmiauww="27357">
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
