Re: [struts] Escaping Characters in Struts Property Tag
Hi Ben
Have you looked at using static reference?
@[EMAIL PROTECTED]
or standard OGNL
http://struts.apache.org/2.0.11/docs/ognl-basics.html
e.g. if accessible from pageContext
#attr.comments
M--
- Original Message -
From: chengas123 [EMAIL PROTECTED]
To: user@struts.apache.org
Sent: Tuesday, November 13, 2007 6:55 PM
Subject: Re: [struts] Escaping Characters in Struts Property Tag
That is basically what I had been trying all along. Am I doing anything
wrong?
s:property value=comments / returns what I am expecting.
s:property value=%{comments} / returns what I am expecting.
s:property
value=@[EMAIL PROTECTED](comments)
/ returns nothing.
s:property
value=[EMAIL PROTECTED]@escapeJavaScript(comment
s)}
/ returns nothing.
Thanks,
Ben
newton.dave wrote:
--- chengas123 [EMAIL PROTECTED] wrote:
That brings me back to my original question though
which is how do I call that from within the property
tag?
http://struts.apache.org/2.x/docs/ognl-basics.html
See the section called Accessing static properties.
Nutshell:
s:property
value=@[EMAIL PROTECTED](valWithQu
otes)/
d.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.h
tml#a13737312
Sent from the Struts - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't really see how allowing static method access presents a security problem. I am opening myself up to any obvious risks by turning this on? Thanks, Ben DNewfield wrote: Have you turned off this capability (or rather not turned it back on)? struts.ognl.allowStaticMethodAccess https://issues.apache.org/struts/browse/WW-2160 -Dale -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13747747 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote: Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't really see how allowing static method access presents a security problem. I am opening myself up to any obvious risks by turning this on? If someone submits a value in a form that you mirror back to them in a place that might be evaluated by ognl, then @[EMAIL PROTECTED](-1) would be a pretty evil risk, no? I'm pretty certain that the most recent xwork .jar prevents ognl evaluation while setting parameters from the request, so the path that string must take to be destructive is now much more convoluted. -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Another issue, a more stylistic one, is that using methods like this is barely better than scriptlets. Some would argue that this type of work belongs on the server side, especially if you're working with non-programming designers (although some can be trained to use a set of well-defined static methods once they have the syntax). d. --- Dale Newfield [EMAIL PROTECTED] wrote: chengas123 wrote: Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't really see how allowing static method access presents a security problem. I am opening myself up to any obvious risks by turning this on? If someone submits a value in a form that you mirror back to them in a place that might be evaluated by ognl, then @[EMAIL PROTECTED](-1) would be a pretty evil risk, no? I'm pretty certain that the most recent xwork .jar prevents ognl evaluation while setting parameters from the request, so the path that string must take to be destructive is now much more convoluted. -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
I do see Dale's point now about the security risk. I'd generally agree with Dave that using a static method is basically the same as a scriptlet. However, in this case I can't say it really belongs in my bean. It's really more of a formatting issue. I'd hate to have my bean have two getters for every variable: one to get it regularly and one to get the escaped version. Perhaps the property tag needs another attribute which would allow special JavaScript characters to be escaped? -Ben newton.dave wrote: Another issue, a more stylistic one, is that using methods like this is barely better than scriptlets. Some would argue that this type of work belongs on the server side, especially if you're working with non-programming designers (although some can be trained to use a set of well-defined static methods once they have the syntax). d. --- Dale Newfield [EMAIL PROTECTED] wrote: chengas123 wrote: Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't really see how allowing static method access presents a security problem. Am I opening myself up to any obvious risks by turning this on? If someone submits a value in a form that you mirror back to them in a place that might be evaluated by ognl, then @[EMAIL PROTECTED](-1) would be a pretty evil risk, no? I'm pretty certain that the most recent xwork .jar prevents ognl evaluation while setting parameters from the request, so the path that string must take to be destructive is now much more convoluted. -Dale -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13752981 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Escaping Characters in Struts Property Tag
Hi,
I want to use the struts property tag to set a JavaScript variable.
Ordinarily, it would look something like:
var testValue = 's:property value=testValue /';
However, this does not work if the value has a single quote in it, so that
character needs to be escaped. It should be easy, but I can't figure out
how to do it. I can't return testValue.replaceAll(', \') as I'd like to
because the quotes in the call to replaceAll would interfere with the quotes
in property tag. My only other idea was to create a class with a static
method, but I can't figure out how to call it. Would it be something like:
var testValue = 's:property
value=@[EMAIL PROTECTED](comments) /'
Thanks,
Ben
--
View this message in context:
http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a1373
Sent from the Struts - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote:
var testValue = 's:property value=testValue /';
However, this does not work if the value has a single quote in it
Try:
var testValue = s:property value='%{testValue}'/;
-Dale
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
That does not escape the single quote.
-Ben
DNewfield wrote:
chengas123 wrote:
var testValue = 's:property value=testValue /';
However, this does not work if the value has a single quote in it
Try:
var testValue = s:property value='%{testValue}'/;
-Dale
--
View this message in context:
http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13732806
Sent from the Struts - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
what about 's:property value=testValue escape=true /'
-Wes
On 11/13/07, chengas123 [EMAIL PROTECTED] wrote:
That does not escape the single quote.
-Ben
DNewfield wrote:
chengas123 wrote:
var testValue = 's:property value=testValue /';
However, this does not work if the value has a single quote in it
Try:
var testValue = s:property value='%{testValue}'/;
-Dale
--
View this message in context:
http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13732806
Sent from the Struts - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Wesley Wannemacher
President, Head Engineer/Consultant
WanTii, Inc.
http://www.wantii.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote: That does not escape the single quote. Correct. But I believe the following is valid ecmascript (without the single quote being escaped): var testValue = You've got to be kidding!; -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Escape is true by default. It escapes HTML characters such as and and not single quotes. -Ben Wes Wannemacher wrote: what about 's:property value=testValue escape=true /' -Wes -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13733962 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Ahh, I'm afraid I'd missed that you reversed the order of the quotation
marks. I was not aware that could be done. However, what I'm actually
doing is putting the value into an onclick attribute. I'm not sure I can
use this trick because then I end up with something like
onClick=myFunction('test value '). So I think escaping would still be
best for me, so I get what I actually want: onClick=myFunction('test \'
value ');
-Ben
DNewfield wrote:
Try:
var testValue = s:property value='%{testValue}'/;
--
View this message in context:
http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13734649
Sent from the Struts - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote: I think escaping would still be best for me Then you're looking for: org.apache.commons.lang.StringEscapeUtils.escapeJavaScript() -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Thanks. I will be sure to look at that. That brings me back to my original question though which is how do I call that from within the property tag? -Ben DNewfield wrote: chengas123 wrote: I think escaping would still be best for me Then you're looking for: org.apache.commons.lang.StringEscapeUtils.escapeJavaScript() -Dale -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13735618 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
--- chengas123 [EMAIL PROTECTED] wrote: That brings me back to my original question though which is how do I call that from within the property tag? http://struts.apache.org/2.x/docs/ognl-basics.html See the section called Accessing static properties. Nutshell: s:property value=@[EMAIL PROTECTED](valWithQuotes)/ d. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote: Thanks. I will be sure to look at that. That brings me back to my original question though which is how do I call that from within the property tag? s:property value=[EMAIL PROTECTED]@escapeJavascript(ognlExpr)}/ -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
That is basically what I had been trying all along. Am I doing anything
wrong?
s:property value=comments / returns what I am expecting.
s:property value=%{comments} / returns what I am expecting.
s:property
value=@[EMAIL PROTECTED](comments)
/ returns nothing.
s:property
value=[EMAIL PROTECTED]@escapeJavaScript(comments)}
/ returns nothing.
Thanks,
Ben
newton.dave wrote:
--- chengas123 [EMAIL PROTECTED] wrote:
That brings me back to my original question though
which is how do I call that from within the property
tag?
http://struts.apache.org/2.x/docs/ognl-basics.html
See the section called Accessing static properties.
Nutshell:
s:property
value=@[EMAIL PROTECTED](valWithQuotes)/
d.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13737312
Sent from the Struts - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote:
s:property value=%{comments} / returns what I am expecting.
s:property
value=[EMAIL PROTECTED]@escapeJavaScript(comments)}
/ returns nothing.
Do you have a commons-lang jar in your WEB-INF/lib?
http://commons.apache.org/lang/
-Dale
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
Yes. That's definitely not the problem. It's on my classpath, etc. I was
originally trying this same thing with a custom String util class that I
wrote and that did not work either. I should mention that I am using Struts
2.1.1. If I am doing this correctly, then perhaps it's a bug?
-Ben
DNewfield wrote:
chengas123 wrote:
s:property value=%{comments} / returns what I am expecting.
s:property
value=[EMAIL PROTECTED]@escapeJavaScript(comments)}
/ returns nothing.
Do you have a commons-lang jar in your WEB-INF/lib?
--
View this message in context:
http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13737895
Sent from the Struts - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] Escaping Characters in Struts Property Tag
chengas123 wrote:
s:property value=%{comments} / returns what I am expecting.
s:property
value=[EMAIL PROTECTED]@escapeJavaScript(comments)}
/ returns nothing.
Have you turned off this capability (or rather not turned it back on)?
struts.ognl.allowStaticMethodAccess
https://issues.apache.org/struts/browse/WW-2160
Does:
s:property
value='[EMAIL PROTECTED]@escapeJavaScript(hello
world)}'/
work?
That might help distinguish if the problem is the static call or the
data passed into it.
I assume you've looked at all the appropriate log files to see if
there's some helpful message there?
-Dale
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
