[jira] [Commented] (WW-5022) Struts 2.6 escaping behaviour change for s:a (anchor) tag
[ https://issues.apache.org/jira/browse/WW-5022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772708#comment-16772708 ] Yasser Zamani commented on WW-5022: --- What is the philosophy that auto-escaping is a critical need?! If there aren't, and as it looks like a huge behavioral change, then let disable auto-escaping. I myself, as a user/developer, prefer flexibility against security - I myself should care! > Struts 2.6 escaping behaviour change for s:a (anchor) tag > - > > Key: WW-5022 > URL: https://issues.apache.org/jira/browse/WW-5022 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 2.6 > Environment: Tomcat 7.0, 8.5 using Java 8 and 11. >Reporter: James Chaplin >Priority: Major > Fix For: 2.6 > > > While interacting with the current 2.6 Showcase application I recently > noticed that+ the "Home" glyph icon was not displaying correctly+. Instead > of the icon, +the page displayed the body content literally in the browser+. > Checking the page source (view source in browser) it turns out the body > content of the tag was HTML-escaped. I double-checked and this does not > happen to Struts 2.5.21 (snapshot) or older 2.6 Showcase apps. > This behaviour might affect other tags, but +it was noticed and confirmed > with "s:a"+ (the JSP anchor tag). > After some digging (using older commits from GitHub and building the 2.6 > Showcase app from them) it appears the automatic body escaping did not occur > prior to January 2nd 2019, but was introduced with one of the multiple > commits applied on January 3rd 2019. > It could be an interaction between earlier mid-December 2018 commits that > changed the Freemarker configuration version in FreemarkerManager > (Configuration.VERSION_2_3_0) to a new one (Configuration.VERSION_2_3_28), > combined with the January 3rd commits. Couldn't find the exact cause, but > perhaps one of the Struts Team might be able to do so. > Given the original/old behaviour +it seems that auto-escaping the tag body > might be a bug+. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-5004) No more calling of a static variable in Struts 2.8.20 available
[ https://issues.apache.org/jira/browse/WW-5004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772664#comment-16772664 ] Lukasz Lenart commented on WW-5004: --- [~santos.r9] this happens in devMode only, see this part {{set struts.devMode to false to disable this message}} > No more calling of a static variable in Struts 2.8.20 available > --- > > Key: WW-5004 > URL: https://issues.apache.org/jira/browse/WW-5004 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 2.5.20 > Environment: Java 7.1 and JSP Websites >Reporter: Deniz Renkligül >Priority: Critical > Labels: build, features, patch, usability > Fix For: 2.5.21, 2.6 > > > After the update from Struts 2.5.18 to 2.5.20 it is not more possible to call > a java static variable in JSP like > {code:java} > > {code} > Please see for more details the release notes of 2.5.20 > [link > https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.20|https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.20] > and I tried without success the following description assigned above in the > release version notes 2.5.20 with : > {code:java} > > > {code} > https://issues.apache.org/jira/browse/WW-4984 > > Thanks in advance for your support. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-5022) Struts 2.6 escaping behaviour change for s:a (anchor) tag
[ https://issues.apache.org/jira/browse/WW-5022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772662#comment-16772662 ] Lukasz Lenart commented on WW-5022: --- This is the one thing, the other is that all other plugins (Struts Bootstrap plugin) are also affected and I wonder how to resolve that. > Struts 2.6 escaping behaviour change for s:a (anchor) tag > - > > Key: WW-5022 > URL: https://issues.apache.org/jira/browse/WW-5022 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 2.6 > Environment: Tomcat 7.0, 8.5 using Java 8 and 11. >Reporter: James Chaplin >Priority: Major > Fix For: 2.6 > > > While interacting with the current 2.6 Showcase application I recently > noticed that+ the "Home" glyph icon was not displaying correctly+. Instead > of the icon, +the page displayed the body content literally in the browser+. > Checking the page source (view source in browser) it turns out the body > content of the tag was HTML-escaped. I double-checked and this does not > happen to Struts 2.5.21 (snapshot) or older 2.6 Showcase apps. > This behaviour might affect other tags, but +it was noticed and confirmed > with "s:a"+ (the JSP anchor tag). > After some digging (using older commits from GitHub and building the 2.6 > Showcase app from them) it appears the automatic body escaping did not occur > prior to January 2nd 2019, but was introduced with one of the multiple > commits applied on January 3rd 2019. > It could be an interaction between earlier mid-December 2018 commits that > changed the Freemarker configuration version in FreemarkerManager > (Configuration.VERSION_2_3_0) to a new one (Configuration.VERSION_2_3_28), > combined with the January 3rd commits. Couldn't find the exact cause, but > perhaps one of the Struts Team might be able to do so. > Given the original/old behaviour +it seems that auto-escaping the tag body > might be a bug+. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-5004) No more calling of a static variable in Struts 2.8.20 available
[ https://issues.apache.org/jira/browse/WW-5004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772272#comment-16772272 ] Juan Santos commented on WW-5004: - Hi, i'm having a trouble with static parameters, i'm migrating an Application from Struts 2.3.35 to 2.5.18, i have this Struts configuration: {code:java} 2 ${tipoSoc} 1 /WEB-INF/jsp/operacion/ag_operacion_cap.jsp {code} In the log i'm getting this stacktrace: {code:java} [ERROR] [com.opensymphony.xwork2.interceptor.StaticParametersInterceptor]: Developer Notification (set struts.devMode to false to disable this message): Unexpected Exception caught setting 'tipoSoc' on 'class mx.ag.principal.AGClsFinancieroAction: Error setting expression 'tipoSoc' with value '${tipoSoc}' [ERROR] [com.opensymphony.xwork2.interceptor.StaticParametersInterceptor]: Developer Notification (set struts.devMode to false to disable this message): Unexpected Exception caught setting 'tipoSoc' on 'class mx.ag.principal.AGClsFinancieroAction: Error setting expression 'tipoSoc' with value '${tipoSoc}' [ERROR] [com.opensymphony.xwork2.interceptor.StaticParametersInterceptor]: Developer Notification (set struts.devMode to false to disable this message): Unexpected Exception caught setting 'tipoSoc' on 'class mx.ag.principal.AGClsFinancieroAction: Error setting expression 'tipoSoc' with value '${tipoSoc}' [WARN ] [com.opensymphony.xwork2.util.AbstractLocalizedTextProvider]: Missing key [devmode.notification] in bundle [mx.ag.AGClsMensajeError]! [ERROR] [com.opensymphony.xwork2.interceptor.ParametersInterceptor]: Developer Notification (set struts.devMode to false to disable this message): Unexpected Exception caught setting 'tipoSoc' on 'class mx.ag.principal.AGClsFinancieroAction: Error setting expression 'tipoSoc' with value '${tipoSoc}' [WARN ] [com.opensymphony.xwork2.util.AbstractLocalizedTextProvider]: Missing key [invalid.fieldvalue.tipoSoc] in bundle [mx.ag.AGClsMensajeError]! [WARN ] [com.opensymphony.xwork2.util.AbstractLocalizedTextProvider]: Missing key [invalid.fieldvalue.tipoSoc] in bundles [[formatter, global, org/apache/struts2/struts-messages, com/opensymphony/xwork2/xwork-messages]]! [INFO ] [com.opensymphony.xwork2.config.ConfigurationManager]: Detected container provider [Struts XML configuration provider (struts-default.xml)] needs to be reloaded. Reloading all providers. [ERROR] [com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor]: No result defined for action mx.ag.principal.AGClsFinancieroAction and result input com.opensymphony.xwork2.config.ConfigurationException: No result defined for action mx.ag.principal.AGClsFinancieroAction and result input at com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:377) ~[struts2-core-2.5.18.jar:2.5.18]{code} The referrercaptura field doesn´t have a setter or getter in the action(currently it's working fine with Struts 2.3.35), this field is validated by a custom interceptor. The tipoCons and tipoSoc fields have their setters and getters in the Action class. I have been trying with Struts 2.5.18 and 2.5.20 and OGNL 3.1.18 and 3.1.15 but the problem is the same. Thanks in advance > No more calling of a static variable in Struts 2.8.20 available > --- > > Key: WW-5004 > URL: https://issues.apache.org/jira/browse/WW-5004 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 2.5.20 > Environment: Java 7.1 and JSP Websites >Reporter: Deniz Renkligül >Priority: Critical > Labels: build, features, patch, usability > Fix For: 2.5.21, 2.6 > > > After the update from Struts 2.5.18 to 2.5.20 it is not more possible to call > a java static variable in JSP like > {code:java} > > {code} > Please see for more details the release notes of 2.5.20 > [link > https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.20|https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.20] > and I tried without success the following description assigned above in the > release version notes 2.5.20 with : > {code:java} > > > {code} > https://issues.apache.org/jira/browse/WW-4984 > > Thanks in advance for your support. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Resolved] (WW-5012) Make a public state check the first acceptance check in SecurityMemberAccess
[ https://issues.apache.org/jira/browse/WW-5012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Yasser Zamani resolved WW-5012. --- Resolution: Fixed PR got merged, thanks! > Make a public state check the first acceptance check in SecurityMemberAccess > > > Key: WW-5012 > URL: https://issues.apache.org/jira/browse/WW-5012 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Affects Versions: 2.5.20 > Environment: All environments. >Reporter: James Chaplin >Priority: Minor > Labels: performance, security > Fix For: 2.6 > > > During discussion for WW-5004, a recommendation was made by two Apache Struts > Team members to adjust the sequence of calls in the SecurityMemberAccess > module. > The recommendation was to make the member's public state check (e.g. > checkPublicMemberAccess()) the absolute first check made during acceptance > checks). > This improvement would look at implementing this change for the access check > ordering, and any minor enhancements that are applicable to the ordering > change. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (WW-5012) Make a public state check the first acceptance check in SecurityMemberAccess
[ https://issues.apache.org/jira/browse/WW-5012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Yasser Zamani updated WW-5012: -- Fix Version/s: (was: 2.5.21) > Make a public state check the first acceptance check in SecurityMemberAccess > > > Key: WW-5012 > URL: https://issues.apache.org/jira/browse/WW-5012 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Affects Versions: 2.5.20 > Environment: All environments. >Reporter: James Chaplin >Priority: Minor > Labels: performance, security > Fix For: 2.6 > > > During discussion for WW-5004, a recommendation was made by two Apache Struts > Team members to adjust the sequence of calls in the SecurityMemberAccess > module. > The recommendation was to make the member's public state check (e.g. > checkPublicMemberAccess()) the absolute first check made during acceptance > checks). > This improvement would look at implementing this change for the access check > ordering, and any minor enhancements that are applicable to the ordering > change. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-5012) Make a public state check the first acceptance check in SecurityMemberAccess
[ https://issues.apache.org/jira/browse/WW-5012?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16771717#comment-16771717 ] Yasser Zamani commented on WW-5012: --- Works for me :) (y) > Make a public state check the first acceptance check in SecurityMemberAccess > > > Key: WW-5012 > URL: https://issues.apache.org/jira/browse/WW-5012 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Affects Versions: 2.5.20 > Environment: All environments. >Reporter: James Chaplin >Priority: Minor > Labels: performance, security > Fix For: 2.5.21, 2.6 > > > During discussion for WW-5004, a recommendation was made by two Apache Struts > Team members to adjust the sequence of calls in the SecurityMemberAccess > module. > The recommendation was to make the member's public state check (e.g. > checkPublicMemberAccess()) the absolute first check made during acceptance > checks). > This improvement would look at implementing this change for the access check > ordering, and any minor enhancements that are applicable to the ordering > change. -- This message was sent by Atlassian JIRA (v7.6.3#76005)