> What browser do you use? firefox 45.4.0 on centos
><s:text/> should only be used to fetch messages from properties files >like you did, exactly what description says "Render a I18n text >message". Using it to something else is a bad idea. >I can escape the returning value, this will block JavaScript >injections like you did. Maybe worth only allowing <s:text/> from .properties, as its says in the description?? ...For easier maintenance and escaping might slow it down even more!! When I started using struts I made the mistake of using <s:text/> incorrectly where I should have used <s:properties/> as it works. Also I had no idea that these hidden #parameters etc exist. Cheers On 11 November 2016 at 10:06, Lukasz Lenart <lukaszlen...@apache.org> wrote: > 2016-11-11 9:13 GMT+01:00 Greg Huber <gregh3...@gmail.com>: > >>Are you sure you are using the latest SNAPSHOT build? I cannot >confirm > > this locally > >>http://screencast.com/t/j5Fz7EnBD4SZ > > > > I have rechecked it and it still pops > > > > <s:text name="#parameters.error"/> > > > > struts2-core-2.5.6-SNAPSHOT.jar and is dated 7/11/2016 > > What browser do you use? > > >>but this is basically your fault as a developer. I'm going to mark > >>.toMap as deprecated and hide access to it. > > > > agreed, but security breaches can come from within especially on large > > projects and its easy to hide a <s:text name="getParameter('error')" /> > > somewhere. > > > > Is there a reason why the s:text has such a wide usage? I really only > use > > it for text from my ApplicationResources.properties. I use s:property > for > > all the get(..) etc stuff. > > <s:text/> should only be used to fetch messages from properties files > like you did, exactly what description says "Render a I18n text > message". Using it to something else is a bad idea. > I can escape the returning value, this will block JavaScript > injections like you did. > > > <s:property value="#parameters.error"/> > > > > is blocked. > > Cool :) > > > Regards > -- > Ćukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > >
