Hi there, please see inline... On 4/3/2023 11:18 AM, Lukasz Lenart wrote:
The change has been introduced here [1] and the problem is that it replaces any non-alphanumeric character with "_". Also it works on an unevaluated version of the "name" attribute (in case if the "id" attribute is not defined). I think this is a bug and I'm not sure why the "escape" method has been changed in case of fixing double evaluations (its main purpose was JavaScript-friendliness)
Because it was also reported in same report by our last security report. It's required and is a common practice to avoid XSS.
If some plugin has a problem with it, then it also need to be fixed (i.e. replace any non-alpha with _) because it's only for Struts internal usage and users shouldn't depend on Struts internal behavior.
Best Regards, Yasser
[1] https://github.com/apache/struts/pull/496/files#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669caR897 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ sob., 1 kwi 2023 o 12:43 Greg Huber <[email protected]> napisał(a):Maybe a user question (sorry) Using action like this : action="%{#mainAction}!saveDraft"/> struts seems to get the "id" wrong? ...but the "name" correct. eg: <s:set var="mainAction">entryEdit</s:set> <s:submit cssClass="btn btn-warning" value="%{getText('weblogEdit.save')}" action="%{#mainAction}!saveDraft"/> renders: <input type="submit" value="Save as Draft" id="entry____mainAction__saveDraft" name="action:entryAdd!saveDraft" class="btn btn-warning"> Should be <input type="submit" value="Save as Draft" id="entry_entryAdd_saveDraft" name="action:entryAdd!saveDraft" class="btn btn-warning"> ##### If I try it on my app it does the same thing <form name="myConfig" id="myConfig" action="/app/myConfig.action" method="post"> <s:set var="myConfigzzzzz" value="'myConfig'" /> <s:submit value="%{getText('button.save')}" action="%{myConfigz}!save" accesskey="s" /> </form> renders: <input name="action:myConfig!save" type="submit" value="Save" id="myConfig___myConfigzzzzz__save" accesskey="s"> should be <input name="action:myConfig!save" type="submit" value="Save" id="myConfig_myConfig_save" accesskey="s"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
