[jira] [Commented] (WW-4551) Allowing conversion of RFC3339 dates with date part only (yyyy-MM-dd) as per HTML5 and w3 standard for (and others).
[ https://issues.apache.org/jira/browse/WW-4551?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14948856#comment-14948856 ] ASF GitHub Bot commented on WW-4551: Github user andrea-ligios commented on the pull request: https://github.com/apache/struts/pull/52#issuecomment-146581055 @wolpi Thanky you! You could vote the [JIRA](https://issues.apache.org/jira/browse/WW-4551) if interested :) The tests are in this file: https://github.com/andrea-ligios/struts/blob/d95fc63992f3892519d970b07052776e0401003a/core/src/test/java/com/opensymphony/xwork2/conversion/impl/XWorkConverterTest.java The test could be added in the `testDateConversion()` method, the code should be: Date dateRfc3339 = (Date) converter.convertValue(context, null, null, null, "2001-01-10", Date.class); assertEquals(date, dateRfc3339); Could you add it to that file ? I'm just new to the whole thing (Git, GitHub, etc...). Thanks > Allowing conversion of RFC3339 dates with date part only (-MM-dd) as per > HTML5 and w3 standard for (and others). > -- > > Key: WW-4551 > URL: https://issues.apache.org/jira/browse/WW-4551 > Project: Struts 2 > Issue Type: Improvement > Components: Core Actions >Affects Versions: 2.3.24 >Reporter: Andrea Ligios > Fix For: 2.3.x > > > Facts: > - {code:xml}{code} is the HTML5 standard for inputing > dates. It works in many browsers: Chrome, Opera, almost every mobile browsers > - where it is fundamental - and the coverage can only grow. > - [w3 has chosen the RFC3339 *with date > only*|http://www.w3.org/TR/html-markup/input.date.html#input.date.attrs.value] > as *value format* {code}-MM-dd{code} while transparently handling the > *display format* according to the Locale. > This means that, for example, americans see {code}MM/dd/{code}, italians > see {code}dd/MM/{code}, but both of them send {code}-MM-dd{code} to > the server. *Without the time part*. > - Struts Date Converter already works for: > {code:title=DateConverter.java|borderStyle=solid} > DateFormat dt1 = DateFormat.getDateTimeInstance(DateFormat.SHORT, > DateFormat.LONG, locale); > DateFormat dt2 = DateFormat.getDateTimeInstance(DateFormat.SHORT, > DateFormat.MEDIUM, locale); > DateFormat dt3 = DateFormat.getDateTimeInstance(DateFormat.SHORT, > DateFormat.SHORT, locale); > DateFormat d1 = DateFormat.getDateInstance(DateFormat.SHORT, locale); > DateFormat d2 = DateFormat.getDateInstance(DateFormat.MEDIUM, locale); > DateFormat d3 = DateFormat.getDateInstance(DateFormat.LONG, locale); > DateFormat rfc3339 = new SimpleDateFormat("-MM-dd'T'HH:mm:ss"); > {code} > with a final fallback to {code:java}DateFormat.SHORT{code} if nothing worked > (in case of Time and Timestamps too). > My idea is: > can we add the support for *date-only RFC3339*, that is the one sent by the > browser, *in addition* to the ones already there ? No existing code would > break, and we'd have a standard, automatic conversion for a popular, growing > *standard*. > I can't see any cons. Can you ? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with
[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14948986#comment-14948986 ] brian neisen commented on WW-4507: -- Hi, The problem is related to the page encoding. I was only able to reproduce when the page encoding was set to ISO-8859-1. When the page encoding is set to UTF-8 this xss issue it not reproducable. Thanks, Brian > Struts 2 XSS vulnerability with > - > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 >Reporter: brian neisen > Labels: struts2, vulnerability, xss > Fix For: 2.3.x > > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag name="myinput" id="myinput">, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with
[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14949882#comment-14949882 ] Lukasz Lenart commented on WW-4507: --- Thanks [~greaser...@gmail.com] - will prepare an announcement! > Struts 2 XSS vulnerability with > - > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 >Reporter: brian neisen > Labels: struts2, vulnerability, xss > Fix For: 2.3.x > > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag name="myinput" id="myinput">, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)