2016-11-11 9:13 GMT+01:00 Greg Huber <gregh3...@gmail.com>:
>>Are you sure you are using the latest SNAPSHOT build? I cannot >confirm
> this locally
>>http://screencast.com/t/j5Fz7EnBD4SZ
>
> I have rechecked it and it still pops
>
> <s:text name="#parameters.error"/>
>
> struts2-core-2.5.6-SNAPSHOT.jar and is dated 7/11/2016
What browser do you use?
>>but this is basically your fault as a developer. I'm going to mark
>>.toMap as deprecated and hide access to it.
>
> agreed, but security breaches can come from within especially on large
> projects and its easy to hide a <s:text name="getParameter('error')" />
> somewhere.
>
> Is there a reason why the s:text has such a wide usage? I really only use
> it for text from my ApplicationResources.properties. I use s:property for
> all the get(..) etc stuff.
<s:text/> should only be used to fetch messages from properties files
like you did, exactly what description says "Render a I18n text
message". Using it to something else is a bad idea.
I can escape the returning value, this will block JavaScript
injections like you did.
> <s:property value="#parameters.error"/>
>
> is blocked.
Cool :)
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
