Re: [struts] Escaping Characters in Struts Property Tag
Hi Ben Have you looked at using static reference? @[EMAIL PROTECTED] or standard OGNL http://struts.apache.org/2.0.11/docs/ognl-basics.html e.g. if accessible from pageContext #attr.comments M-- - Original Message - From: chengas123 [EMAIL PROTECTED] To: user@struts.apache.org Sent: Tuesday, November 13, 2007 6:55 PM Subject: Re: [struts] Escaping Characters in Struts Property Tag That is basically what I had been trying all along. Am I doing anything wrong? s:property value=comments / returns what I am expecting. s:property value=%{comments} / returns what I am expecting. s:property value=@[EMAIL PROTECTED](comments) / returns nothing. s:property value=[EMAIL PROTECTED]@escapeJavaScript(comment s)} / returns nothing. Thanks, Ben newton.dave wrote: --- chengas123 [EMAIL PROTECTED] wrote: That brings me back to my original question though which is how do I call that from within the property tag? http://struts.apache.org/2.x/docs/ognl-basics.html See the section called Accessing static properties. Nutshell: s:property value=@[EMAIL PROTECTED](valWithQu otes)/ d. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.h tml#a13737312 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't really see how allowing static method access presents a security problem. I am opening myself up to any obvious risks by turning this on? Thanks, Ben DNewfield wrote: Have you turned off this capability (or rather not turned it back on)? struts.ognl.allowStaticMethodAccess https://issues.apache.org/struts/browse/WW-2160 -Dale -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13747747 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote: Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't really see how allowing static method access presents a security problem. I am opening myself up to any obvious risks by turning this on? If someone submits a value in a form that you mirror back to them in a place that might be evaluated by ognl, then @[EMAIL PROTECTED](-1) would be a pretty evil risk, no? I'm pretty certain that the most recent xwork .jar prevents ognl evaluation while setting parameters from the request, so the path that string must take to be destructive is now much more convoluted. -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Another issue, a more stylistic one, is that using methods like this is barely better than scriptlets. Some would argue that this type of work belongs on the server side, especially if you're working with non-programming designers (although some can be trained to use a set of well-defined static methods once they have the syntax). d. --- Dale Newfield [EMAIL PROTECTED] wrote: chengas123 wrote: Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't really see how allowing static method access presents a security problem. I am opening myself up to any obvious risks by turning this on? If someone submits a value in a form that you mirror back to them in a place that might be evaluated by ognl, then @[EMAIL PROTECTED](-1) would be a pretty evil risk, no? I'm pretty certain that the most recent xwork .jar prevents ognl evaluation while setting parameters from the request, so the path that string must take to be destructive is now much more convoluted. -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
I do see Dale's point now about the security risk. I'd generally agree with Dave that using a static method is basically the same as a scriptlet. However, in this case I can't say it really belongs in my bean. It's really more of a formatting issue. I'd hate to have my bean have two getters for every variable: one to get it regularly and one to get the escaped version. Perhaps the property tag needs another attribute which would allow special JavaScript characters to be escaped? -Ben newton.dave wrote: Another issue, a more stylistic one, is that using methods like this is barely better than scriptlets. Some would argue that this type of work belongs on the server side, especially if you're working with non-programming designers (although some can be trained to use a set of well-defined static methods once they have the syntax). d. --- Dale Newfield [EMAIL PROTECTED] wrote: chengas123 wrote: Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't really see how allowing static method access presents a security problem. Am I opening myself up to any obvious risks by turning this on? If someone submits a value in a form that you mirror back to them in a place that might be evaluated by ognl, then @[EMAIL PROTECTED](-1) would be a pretty evil risk, no? I'm pretty certain that the most recent xwork .jar prevents ognl evaluation while setting parameters from the request, so the path that string must take to be destructive is now much more convoluted. -Dale -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13752981 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote: var testValue = 's:property value=testValue /'; However, this does not work if the value has a single quote in it Try: var testValue = s:property value='%{testValue}'/; -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
That does not escape the single quote. -Ben DNewfield wrote: chengas123 wrote: var testValue = 's:property value=testValue /'; However, this does not work if the value has a single quote in it Try: var testValue = s:property value='%{testValue}'/; -Dale -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13732806 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
what about 's:property value=testValue escape=true /' -Wes On 11/13/07, chengas123 [EMAIL PROTECTED] wrote: That does not escape the single quote. -Ben DNewfield wrote: chengas123 wrote: var testValue = 's:property value=testValue /'; However, this does not work if the value has a single quote in it Try: var testValue = s:property value='%{testValue}'/; -Dale -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13732806 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Wesley Wannemacher President, Head Engineer/Consultant WanTii, Inc. http://www.wantii.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote: That does not escape the single quote. Correct. But I believe the following is valid ecmascript (without the single quote being escaped): var testValue = You've got to be kidding!; -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Escape is true by default. It escapes HTML characters such as and and not single quotes. -Ben Wes Wannemacher wrote: what about 's:property value=testValue escape=true /' -Wes -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13733962 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Ahh, I'm afraid I'd missed that you reversed the order of the quotation marks. I was not aware that could be done. However, what I'm actually doing is putting the value into an onclick attribute. I'm not sure I can use this trick because then I end up with something like onClick=myFunction('test value '). So I think escaping would still be best for me, so I get what I actually want: onClick=myFunction('test \' value '); -Ben DNewfield wrote: Try: var testValue = s:property value='%{testValue}'/; -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13734649 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote: I think escaping would still be best for me Then you're looking for: org.apache.commons.lang.StringEscapeUtils.escapeJavaScript() -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Thanks. I will be sure to look at that. That brings me back to my original question though which is how do I call that from within the property tag? -Ben DNewfield wrote: chengas123 wrote: I think escaping would still be best for me Then you're looking for: org.apache.commons.lang.StringEscapeUtils.escapeJavaScript() -Dale -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13735618 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
--- chengas123 [EMAIL PROTECTED] wrote: That brings me back to my original question though which is how do I call that from within the property tag? http://struts.apache.org/2.x/docs/ognl-basics.html See the section called Accessing static properties. Nutshell: s:property value=@[EMAIL PROTECTED](valWithQuotes)/ d. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote: Thanks. I will be sure to look at that. That brings me back to my original question though which is how do I call that from within the property tag? s:property value=[EMAIL PROTECTED]@escapeJavascript(ognlExpr)}/ -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
That is basically what I had been trying all along. Am I doing anything wrong? s:property value=comments / returns what I am expecting. s:property value=%{comments} / returns what I am expecting. s:property value=@[EMAIL PROTECTED](comments) / returns nothing. s:property value=[EMAIL PROTECTED]@escapeJavaScript(comments)} / returns nothing. Thanks, Ben newton.dave wrote: --- chengas123 [EMAIL PROTECTED] wrote: That brings me back to my original question though which is how do I call that from within the property tag? http://struts.apache.org/2.x/docs/ognl-basics.html See the section called Accessing static properties. Nutshell: s:property value=@[EMAIL PROTECTED](valWithQuotes)/ d. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13737312 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote: s:property value=%{comments} / returns what I am expecting. s:property value=[EMAIL PROTECTED]@escapeJavaScript(comments)} / returns nothing. Do you have a commons-lang jar in your WEB-INF/lib? http://commons.apache.org/lang/ -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Yes. That's definitely not the problem. It's on my classpath, etc. I was originally trying this same thing with a custom String util class that I wrote and that did not work either. I should mention that I am using Struts 2.1.1. If I am doing this correctly, then perhaps it's a bug? -Ben DNewfield wrote: chengas123 wrote: s:property value=%{comments} / returns what I am expecting. s:property value=[EMAIL PROTECTED]@escapeJavaScript(comments)} / returns nothing. Do you have a commons-lang jar in your WEB-INF/lib? -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13737895 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote: s:property value=%{comments} / returns what I am expecting. s:property value=[EMAIL PROTECTED]@escapeJavaScript(comments)} / returns nothing. Have you turned off this capability (or rather not turned it back on)? struts.ognl.allowStaticMethodAccess https://issues.apache.org/struts/browse/WW-2160 Does: s:property value='[EMAIL PROTECTED]@escapeJavaScript(hello world)}'/ work? That might help distinguish if the problem is the static call or the data passed into it. I assume you've looked at all the appropriate log files to see if there's some helpful message there? -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]