Thanks Lukasz,
and sorry about the confusion! Yes, I did browse through some of the
release notes after your and Wolfgang's comments regarding xwork2
packages. At that point I then added <constant
name="struts.allowlist.enable" value="false"/> in struts.xml. But it
seems I at the same time also accidentally added another setting
<constant name="struts.ognl.valueStackFallbackToContext"
value="false"/>, which was of course the root cause for many problems!
After removing that, the main (or at least one of them) problem seems to
concern JSP expressions. Now this works
<s:iterator value="subjects" var="subject">
<h2><s:property value="#subject.name" /></h2>
</s:iterator>
but the same with JSP expression does not show names in 7.0.0 (in
6.3.0.2 this works ok):
<s:iterator value="subjects" var="subject">
<h2>${subject.name}</h2>
</s:iterator>
What setting am I missing to get the latter to work? The code base
relies very heavily on this type of JSP expressions so stopping using
them is not a realistic option.
Best regards
Heikki
Lukasz Lenart kirjoitti 26.1.2025 klo 8.32:
Did you read through the Migration guide? It looks like one of the
security factors blocks executions of your expression
https://cwiki.apache.org/confluence/display/WW/Struts+6.x.x+to+7.x.x+migration#Struts6.x.xto7.x.xmigration-Strongersecurity
Take a look on the allowlist capability
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=293046977#Struts6.x.xto7.x.xmigration-OGNLallowlistcapability
Cheers
Łukasz
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
