[jira] [Commented] (WW-4551) Allowing conversion of RFC3339 dates with date part only (yyyy-MM-dd) as per HTML5 and w3 standard for (and others).
[
https://issues.apache.org/jira/browse/WW-4551?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14948856#comment-14948856
]
ASF GitHub Bot commented on WW-4551:
Github user andrea-ligios commented on the pull request:
https://github.com/apache/struts/pull/52#issuecomment-146581055
@wolpi Thanky you! You could vote the
[JIRA](https://issues.apache.org/jira/browse/WW-4551) if interested :)
The tests are in this file:
https://github.com/andrea-ligios/struts/blob/d95fc63992f3892519d970b07052776e0401003a/core/src/test/java/com/opensymphony/xwork2/conversion/impl/XWorkConverterTest.java
The test could be added in the `testDateConversion()` method, the code
should be:
Date dateRfc3339 = (Date) converter.convertValue(context, null, null,
null, "2001-01-10", Date.class);
assertEquals(date, dateRfc3339);
Could you add it to that file ? I'm just new to the whole thing (Git,
GitHub, etc...). Thanks
> Allowing conversion of RFC3339 dates with date part only (-MM-dd) as per
> HTML5 and w3 standard for (and others).
> --
>
> Key: WW-4551
> URL: https://issues.apache.org/jira/browse/WW-4551
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
>Affects Versions: 2.3.24
>Reporter: Andrea Ligios
> Fix For: 2.3.x
>
>
> Facts:
> - {code:xml}{code} is the HTML5 standard for inputing
> dates. It works in many browsers: Chrome, Opera, almost every mobile browsers
> - where it is fundamental - and the coverage can only grow.
> - [w3 has chosen the RFC3339 *with date
> only*|http://www.w3.org/TR/html-markup/input.date.html#input.date.attrs.value]
> as *value format* {code}-MM-dd{code} while transparently handling the
> *display format* according to the Locale.
> This means that, for example, americans see {code}MM/dd/{code}, italians
> see {code}dd/MM/{code}, but both of them send {code}-MM-dd{code} to
> the server. *Without the time part*.
> - Struts Date Converter already works for:
> {code:title=DateConverter.java|borderStyle=solid}
> DateFormat dt1 = DateFormat.getDateTimeInstance(DateFormat.SHORT,
> DateFormat.LONG, locale);
> DateFormat dt2 = DateFormat.getDateTimeInstance(DateFormat.SHORT,
> DateFormat.MEDIUM, locale);
> DateFormat dt3 = DateFormat.getDateTimeInstance(DateFormat.SHORT,
> DateFormat.SHORT, locale);
> DateFormat d1 = DateFormat.getDateInstance(DateFormat.SHORT, locale);
> DateFormat d2 = DateFormat.getDateInstance(DateFormat.MEDIUM, locale);
> DateFormat d3 = DateFormat.getDateInstance(DateFormat.LONG, locale);
> DateFormat rfc3339 = new SimpleDateFormat("-MM-dd'T'HH:mm:ss");
> {code}
> with a final fallback to {code:java}DateFormat.SHORT{code} if nothing worked
> (in case of Time and Timestamps too).
> My idea is:
> can we add the support for *date-only RFC3339*, that is the one sent by the
> browser, *in addition* to the ones already there ? No existing code would
> break, and we'd have a standard, automatic conversion for a popular, growing
> *standard*.
> I can't see any cons. Can you ?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with
[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14948986#comment-14948986 ] brian neisen commented on WW-4507: -- Hi, The problem is related to the page encoding. I was only able to reproduce when the page encoding was set to ISO-8859-1. When the page encoding is set to UTF-8 this xss issue it not reproducable. Thanks, Brian > Struts 2 XSS vulnerability with > - > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 >Reporter: brian neisen > Labels: struts2, vulnerability, xss > Fix For: 2.3.x > > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag name="myinput" id="myinput">, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with
[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14949882#comment-14949882 ] Lukasz Lenart commented on WW-4507: --- Thanks [~greaser...@gmail.com] - will prepare an announcement! > Struts 2 XSS vulnerability with > - > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 >Reporter: brian neisen > Labels: struts2, vulnerability, xss > Fix For: 2.3.x > > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag name="myinput" id="myinput">, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
