This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push: new 3c13fb7 Updates stage by Jenkins 3c13fb7 is described below commit 3c13fb7afeb34d57d7f8e65d9e9cef5f232ea190 Author: jenkins <bui...@apache.org> AuthorDate: Sun Nov 10 12:24:06 2019 +0000 Updates stage by Jenkins --- content/security/index.html | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/content/security/index.html b/content/security/index.html index a3b97fa..25ebc36 100644 --- a/content/security/index.html +++ b/content/security/index.html @@ -141,6 +141,7 @@ <li><a href="#do-not-define-setters-when-not-needed" id="markdown-toc-do-not-define-setters-when-not-needed">Do not define setters when not needed</a></li> <li><a href="#do-not-use-incoming-values-as-an-input-for-localisation-logic" id="markdown-toc-do-not-use-incoming-values-as-an-input-for-localisation-logic">Do not use incoming values as an input for localisation logic</a></li> <li><a href="#use-struts-tags-instead-of-raw-el-expressions" id="markdown-toc-use-struts-tags-instead-of-raw-el-expressions">Use Struts tags instead of raw EL expressions</a></li> + <li><a href="#define-custom-error-pages" id="markdown-toc-define-custom-error-pages">Define custom error pages</a></li> </ul> </li> <li><a href="#internal-security-mechanism" id="markdown-toc-internal-security-mechanism">Internal security mechanism</a> <ul> @@ -283,6 +284,28 @@ Never use a raw <code class="highlighter-rouge">${}</code> EL expression on inco <p>The safest option is to use Struts Tags instead.</p> +<h3 id="define-custom-error-pages">Define custom error pages</h3> + +<p>As mentioned in <a href="https://cwiki.apache.org/confluence/display/WW/S2-006">S2-006</a> it’s a good practicse to define your own +error pages. This avoids exposing users to XSS attacks as Struts does not escape action’s names in automatically +generated error pages.</p> + +<p>You can eaither disable <a href="../core-developers/action-configuration#dynamic-method-invocation">DMI</a></p> + +<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><constant</span> <span class="na">name=</span><span class="s">"struts.enable.DynamicMethodInvocation"</span> <span class="na">value=</span><span class="s">"false"</span> <span class="nt">/></span> +</code></pre></div></div> + +<p>or define an error page</p> + +<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><global-results></span> + <span class="nt"><result</span> <span class="na">name=</span><span class="s">"error"</span><span class="nt">></span>/error_page.jsp<span class="nt"></result></span> +<span class="nt"></global-results></span> + +<span class="nt"><global-exception-mappings></span> + <span class="nt"><exception-mapping</span> <span class="na">exception=</span><span class="s">"java.lang.Exception"</span> <span class="na">result=</span><span class="s">"error"</span><span class="nt">/></span> +<span class="nt"></global-exception-mappings></span> +</code></pre></div></div> + <h2 id="internal-security-mechanism">Internal security mechanism</h2> <p>The Apache Struts 2 contains internal security manager which blocks access to particular classes and Java packages -