: Tuesday, November 13, 2007 6:55 PM
Subject: Re: [struts] Escaping Characters in Struts Property Tag
That is basically what I had been trying all along. Am I doing anything
wrong?
s:property value=comments / returns what I am expecting.
s:property value=%{comments} / returns what I am expecting
Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't
really see how allowing static method access presents a security problem. I
am opening myself up to any obvious risks by turning this on?
Thanks,
Ben
DNewfield wrote:
Have you turned off this capability (or
chengas123 wrote:
Ahh, yes, that was my problem. I'm afraid I wasn't expecting that. I don't
really see how allowing static method access presents a security problem. I
am opening myself up to any obvious risks by turning this on?
If someone submits a value in a form that you mirror back to
Another issue, a more stylistic one, is that using
methods like this is barely better than scriptlets.
Some would argue that this type of work belongs on the
server side, especially if you're working with
non-programming designers (although some can be
trained to use a set of well-defined static
I do see Dale's point now about the security risk.
I'd generally agree with Dave that using a static method is basically the
same as a scriptlet. However, in this case I can't say it really belongs in
my bean. It's really more of a formatting issue. I'd hate to have my bean
have two getters
chengas123 wrote:
var testValue = 's:property value=testValue /';
However, this does not work if the value has a single quote in it
Try:
var testValue = s:property value='%{testValue}'/;
-Dale
-
To unsubscribe, e-mail:
That does not escape the single quote.
-Ben
DNewfield wrote:
chengas123 wrote:
var testValue = 's:property value=testValue /';
However, this does not work if the value has a single quote in it
Try:
var testValue = s:property value='%{testValue}'/;
-Dale
--
View this
what about 's:property value=testValue escape=true /'
-Wes
On 11/13/07, chengas123 [EMAIL PROTECTED] wrote:
That does not escape the single quote.
-Ben
DNewfield wrote:
chengas123 wrote:
var testValue = 's:property value=testValue /';
However, this does not work if the value
chengas123 wrote:
That does not escape the single quote.
Correct. But I believe the following is valid ecmascript (without the
single quote being escaped):
var testValue = You've got to be kidding!;
-Dale
-
To
Escape is true by default. It escapes HTML characters such as and and
not single quotes.
-Ben
Wes Wannemacher wrote:
what about 's:property value=testValue escape=true /'
-Wes
--
View this message in context:
Ahh, I'm afraid I'd missed that you reversed the order of the quotation
marks. I was not aware that could be done. However, what I'm actually
doing is putting the value into an onclick attribute. I'm not sure I can
use this trick because then I end up with something like
chengas123 wrote:
I think escaping would still be best for me
Then you're looking for:
org.apache.commons.lang.StringEscapeUtils.escapeJavaScript()
-Dale
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands,
Thanks. I will be sure to look at that.
That brings me back to my original question though which is how do I call
that from within the property tag?
-Ben
DNewfield wrote:
chengas123 wrote:
I think escaping would still be best for me
Then you're looking for:
--- chengas123 [EMAIL PROTECTED] wrote:
That brings me back to my original question though
which is how do I call that from within the property
tag?
http://struts.apache.org/2.x/docs/ognl-basics.html
See the section called Accessing static properties.
Nutshell:
s:property
value=@[EMAIL
chengas123 wrote:
Thanks. I will be sure to look at that.
That brings me back to my original question though which is how do I call
that from within the property tag?
s:property
value=[EMAIL PROTECTED]@escapeJavascript(ognlExpr)}/
-Dale
That is basically what I had been trying all along. Am I doing anything
wrong?
s:property value=comments / returns what I am expecting.
s:property value=%{comments} / returns what I am expecting.
s:property
value=@[EMAIL PROTECTED](comments)
/ returns nothing.
s:property
value=[EMAIL
chengas123 wrote:
s:property value=%{comments} / returns what I am expecting.
s:property
value=[EMAIL PROTECTED]@escapeJavaScript(comments)}
/ returns nothing.
Do you have a commons-lang jar in your WEB-INF/lib?
http://commons.apache.org/lang/
-Dale
Yes. That's definitely not the problem. It's on my classpath, etc. I was
originally trying this same thing with a custom String util class that I
wrote and that did not work either. I should mention that I am using Struts
2.1.1. If I am doing this correctly, then perhaps it's a bug?
-Ben
chengas123 wrote:
s:property value=%{comments} / returns what I am expecting.
s:property
value=[EMAIL PROTECTED]@escapeJavaScript(comments)}
/ returns nothing.
Have you turned off this capability (or rather not turned it back on)?
struts.ognl.allowStaticMethodAccess
19 matches
Mail list logo