This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 6b91b24 Updates production by Jenkins
6b91b24 is described below
commit 6b91b2436ba422b23a75aa3864057afab4499f8a
Author: jenkins <bui...@apache.org>
AuthorDate: Mon Nov 11 12:45:36 2019 +0000
Updates production by Jenkins
---
content/security/index.html | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/content/security/index.html b/content/security/index.html
index a3b97fa..25ebc36 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -141,6 +141,7 @@
<li><a href="#do-not-define-setters-when-not-needed"
id="markdown-toc-do-not-define-setters-when-not-needed">Do not define setters
when not needed</a></li>
<li><a
href="#do-not-use-incoming-values-as-an-input-for-localisation-logic"
id="markdown-toc-do-not-use-incoming-values-as-an-input-for-localisation-logic">Do
not use incoming values as an input for localisation logic</a></li>
<li><a href="#use-struts-tags-instead-of-raw-el-expressions"
id="markdown-toc-use-struts-tags-instead-of-raw-el-expressions">Use Struts tags
instead of raw EL expressions</a></li>
+ <li><a href="#define-custom-error-pages"
id="markdown-toc-define-custom-error-pages">Define custom error pages</a></li>
</ul>
</li>
<li><a href="#internal-security-mechanism"
id="markdown-toc-internal-security-mechanism">Internal security mechanism</a>
<ul>
@@ -283,6 +284,28 @@ Never use a raw <code class="highlighter-rouge">${}</code>
EL expression on inco
<p>The safest option is to use Struts Tags instead.</p>
+<h3 id="define-custom-error-pages">Define custom error pages</h3>
+
+<p>As mentioned in <a
href="https://cwiki.apache.org/confluence/display/WW/S2-006";>S2-006</a> it’s a
good practicse to define your own
+error pages. This avoids exposing users to XSS attacks as Struts does not
escape action’s names in automatically
+generated error pages.</p>
+
+<p>You can eaither disable <a
href="../core-developers/action-configuration#dynamic-method-invocation">DMI</a></p>
+
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span
class="s">"struts.enable.DynamicMethodInvocation"</span> <span
class="na">value=</span><span class="s">"false"</span> <span
class="nt">/></span>
+</code></pre></div></div>
+
+<p>or define an error page</p>
+
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><global-results></span>
+ <span class="nt"><result</span> <span class="na">name=</span><span
class="s">"error"</span><span class="nt">></span>/error_page.jsp<span
class="nt"></result></span>
+<span class="nt"></global-results></span>
+
+<span class="nt"><global-exception-mappings></span>
+ <span class="nt"><exception-mapping</span> <span
class="na">exception=</span><span class="s">"java.lang.Exception"</span> <span
class="na">result=</span><span class="s">"error"</span><span
class="nt">/></span>
+<span class="nt"></global-exception-mappings></span>
+</code></pre></div></div>
+
<h2 id="internal-security-mechanism">Internal security mechanism</h2>
<p>The Apache Struts 2 contains internal security manager which blocks access
to particular classes and Java packages -
