[
https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13730926#comment-13730926
]
Dave Newton commented on WW-4171:
---------------------------------
[~coverity_srl] AFAIK the evaluation isn't happening in getText(), rather as
part of parameter processing. It's the same reason things like DisplayTag go
funky because it uses a minus sign as part of the request parameter.
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
> Key: WW-4171
> URL: https://issues.apache.org/jira/browse/WW-4171
> Project: Struts 2
> Issue Type: Improvement
> Components: Documentation
> Affects Versions: 2.3.15.1
> Reporter: Coverity Security Research Laboratory
> Assignee: Lukasz Lenart
> Priority: Minor
> Labels: security
> Fix For: 2.3.16
>
>
> The methods below evaluate OGNL as their first parameter. However they are
> not documented as evaluating OGNL. We have observed this occurring in one
> project and are contacting the affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None
> of these methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as
> evaluating OGNL since this may come as a surprise to some developers.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
