Sounds like a good idea and plug the whole lot in one go.
tomcat 8 is JSP 2.3 and EL 3.0.
######
checking ${parameters.get('error')}
uses org.apache.struts2.dispatcher.Parameter. If I debug the class it is.
toStringArray() does the conversion to the string, maybe escape here?
strValues[i] = StringEscapeUtils.escapeHtml4(String.valueOf(v));
On 16 November 2016 at 08:35, Lukasz Lenart <lukaszlen...@apache.org> wrote:
> 2016-11-15 9:11 GMT+01:00 Greg Huber <gregh3...@gmail.com>:
> > Sorry, back on this again :(
> >
> > Can we check this one? Pops for me.
> >
> > login.action?error=<script type="text/javascript">alert("ok");</script>
> >
> > ${parameters.get('error')}
> > ${parameters.get('error').value}
> >
> >
> > Where does the ${} reference stuff come from?
>
> It's because of JSTL, I meant Struts supports direct EL calls with
> expressions enclosed in ${} - not sure if we can do anything about
> this :\
> Struts is using JSP API 2.0, starting with JSP API 2.1 it is possible
> to register custom ELResolvers [1] which can be used in the same way
> as we did for OGNL.
>
> [1] https://docs.oracle.com/javaee/6/api/javax/el/ELResolver.html
>
>
> Regards
> --
> Ćukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>
