[ https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13730926#comment-13730926 ]
Dave Newton commented on WW-4171: --------------------------------- [~coverity_srl] AFAIK the evaluation isn't happening in getText(), rather as part of parameter processing. It's the same reason things like DisplayTag go funky because it uses a minus sign as part of the request parameter. > getText methods are not documented as evaluating OGNL > ----------------------------------------------------- > > Key: WW-4171 > URL: https://issues.apache.org/jira/browse/WW-4171 > Project: Struts 2 > Issue Type: Improvement > Components: Documentation > Affects Versions: 2.3.15.1 > Reporter: Coverity Security Research Laboratory > Assignee: Lukasz Lenart > Priority: Minor > Labels: security > Fix For: 2.3.16 > > > The methods below evaluate OGNL as their first parameter. However they are > not documented as evaluating OGNL. We have observed this occurring in one > project and are contacting the affected vendors. > com.opensymphony.xwork2.TextProviderSupport.getText(String, String[]) > com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>) > com.opensymphony.xwork2.TextProviderSupport.getText(String) > These methods are then used by ActionSupport (via its getText methods). None > of these methods are documented as evaluating OGNL either. > This issue is recommending that all of these methods are documented as > evaluating OGNL since this may come as a surprise to some developers. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira