[jira] [Commented] (WW-5022) Struts 2.6 escaping behaviour change for s:a (anchor) tag
[ https://issues.apache.org/jira/browse/WW-5022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772708#comment-16772708 ] Yasser Zamani commented on WW-5022: --- What is the philosophy that auto-escaping is a critical need?! If there aren't, and as it looks like a huge behavioral change, then let disable auto-escaping. I myself, as a user/developer, prefer flexibility against security - I myself should care! > Struts 2.6 escaping behaviour change for s:a (anchor) tag > - > > Key: WW-5022 > URL: https://issues.apache.org/jira/browse/WW-5022 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 2.6 > Environment: Tomcat 7.0, 8.5 using Java 8 and 11. >Reporter: James Chaplin >Priority: Major > Fix For: 2.6 > > > While interacting with the current 2.6 Showcase application I recently > noticed that+ the "Home" glyph icon was not displaying correctly+. Instead > of the icon, +the page displayed the body content literally in the browser+. > Checking the page source (view source in browser) it turns out the body > content of the tag was HTML-escaped. I double-checked and this does not > happen to Struts 2.5.21 (snapshot) or older 2.6 Showcase apps. > This behaviour might affect other tags, but +it was noticed and confirmed > with "s:a"+ (the JSP anchor tag). > After some digging (using older commits from GitHub and building the 2.6 > Showcase app from them) it appears the automatic body escaping did not occur > prior to January 2nd 2019, but was introduced with one of the multiple > commits applied on January 3rd 2019. > It could be an interaction between earlier mid-December 2018 commits that > changed the Freemarker configuration version in FreemarkerManager > (Configuration.VERSION_2_3_0) to a new one (Configuration.VERSION_2_3_28), > combined with the January 3rd commits. Couldn't find the exact cause, but > perhaps one of the Struts Team might be able to do so. > Given the original/old behaviour +it seems that auto-escaping the tag body > might be a bug+. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-5004) No more calling of a static variable in Struts 2.8.20 available
[
https://issues.apache.org/jira/browse/WW-5004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772664#comment-16772664
]
Lukasz Lenart commented on WW-5004:
---
[~santos.r9] this happens in devMode only, see this part {{set struts.devMode
to false to disable this message}}
> No more calling of a static variable in Struts 2.8.20 available
> ---
>
> Key: WW-5004
> URL: https://issues.apache.org/jira/browse/WW-5004
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Affects Versions: 2.5.20
> Environment: Java 7.1 and JSP Websites
>Reporter: Deniz Renkligül
>Priority: Critical
> Labels: build, features, patch, usability
> Fix For: 2.5.21, 2.6
>
>
> After the update from Struts 2.5.18 to 2.5.20 it is not more possible to call
> a java static variable in JSP like
> {code:java}
>
> {code}
> Please see for more details the release notes of 2.5.20
> [link
> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.20|https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.20]
> and I tried without success the following description assigned above in the
> release version notes 2.5.20 with :
> {code:java}
>
>
> {code}
> https://issues.apache.org/jira/browse/WW-4984
>
> Thanks in advance for your support.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (WW-5022) Struts 2.6 escaping behaviour change for s:a (anchor) tag
[ https://issues.apache.org/jira/browse/WW-5022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772662#comment-16772662 ] Lukasz Lenart commented on WW-5022: --- This is the one thing, the other is that all other plugins (Struts Bootstrap plugin) are also affected and I wonder how to resolve that. > Struts 2.6 escaping behaviour change for s:a (anchor) tag > - > > Key: WW-5022 > URL: https://issues.apache.org/jira/browse/WW-5022 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 2.6 > Environment: Tomcat 7.0, 8.5 using Java 8 and 11. >Reporter: James Chaplin >Priority: Major > Fix For: 2.6 > > > While interacting with the current 2.6 Showcase application I recently > noticed that+ the "Home" glyph icon was not displaying correctly+. Instead > of the icon, +the page displayed the body content literally in the browser+. > Checking the page source (view source in browser) it turns out the body > content of the tag was HTML-escaped. I double-checked and this does not > happen to Struts 2.5.21 (snapshot) or older 2.6 Showcase apps. > This behaviour might affect other tags, but +it was noticed and confirmed > with "s:a"+ (the JSP anchor tag). > After some digging (using older commits from GitHub and building the 2.6 > Showcase app from them) it appears the automatic body escaping did not occur > prior to January 2nd 2019, but was introduced with one of the multiple > commits applied on January 3rd 2019. > It could be an interaction between earlier mid-December 2018 commits that > changed the Freemarker configuration version in FreemarkerManager > (Configuration.VERSION_2_3_0) to a new one (Configuration.VERSION_2_3_28), > combined with the January 3rd commits. Couldn't find the exact cause, but > perhaps one of the Struts Team might be able to do so. > Given the original/old behaviour +it seems that auto-escaping the tag body > might be a bug+. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-5004) No more calling of a static variable in Struts 2.8.20 available
[
https://issues.apache.org/jira/browse/WW-5004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772272#comment-16772272
]
Juan Santos commented on WW-5004:
-
Hi, i'm having a trouble with static parameters, i'm migrating an Application
from Struts 2.3.35 to 2.5.18, i have this Struts configuration:
{code:java}
2
${tipoSoc}
1
/WEB-INF/jsp/operacion/ag_operacion_cap.jsp
{code}
In the log i'm getting this stacktrace:
{code:java}
[ERROR] [com.opensymphony.xwork2.interceptor.StaticParametersInterceptor]:
Developer Notification (set struts.devMode to false to disable this message):
Unexpected Exception caught setting 'tipoSoc' on 'class
mx.ag.principal.AGClsFinancieroAction: Error setting expression 'tipoSoc' with
value '${tipoSoc}'
[ERROR] [com.opensymphony.xwork2.interceptor.StaticParametersInterceptor]:
Developer Notification (set struts.devMode to false to disable this message):
Unexpected Exception caught setting 'tipoSoc' on 'class
mx.ag.principal.AGClsFinancieroAction: Error setting expression 'tipoSoc' with
value '${tipoSoc}'
[ERROR] [com.opensymphony.xwork2.interceptor.StaticParametersInterceptor]:
Developer Notification (set struts.devMode to false to disable this message):
Unexpected Exception caught setting 'tipoSoc' on 'class
mx.ag.principal.AGClsFinancieroAction: Error setting expression 'tipoSoc' with
value '${tipoSoc}'
[WARN ] [com.opensymphony.xwork2.util.AbstractLocalizedTextProvider]: Missing
key [devmode.notification] in bundle [mx.ag.AGClsMensajeError]!
[ERROR] [com.opensymphony.xwork2.interceptor.ParametersInterceptor]: Developer
Notification (set struts.devMode to false to disable this message):
Unexpected Exception caught setting 'tipoSoc' on 'class
mx.ag.principal.AGClsFinancieroAction: Error setting expression 'tipoSoc' with
value '${tipoSoc}'
[WARN ] [com.opensymphony.xwork2.util.AbstractLocalizedTextProvider]: Missing
key [invalid.fieldvalue.tipoSoc] in bundle [mx.ag.AGClsMensajeError]!
[WARN ] [com.opensymphony.xwork2.util.AbstractLocalizedTextProvider]: Missing
key [invalid.fieldvalue.tipoSoc] in bundles [[formatter, global,
org/apache/struts2/struts-messages, com/opensymphony/xwork2/xwork-messages]]!
[INFO ] [com.opensymphony.xwork2.config.ConfigurationManager]: Detected
container provider [Struts XML configuration provider (struts-default.xml)]
needs to be reloaded. Reloading all providers.
[ERROR] [com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor]: No
result defined for action mx.ag.principal.AGClsFinancieroAction and result input
com.opensymphony.xwork2.config.ConfigurationException: No result defined for
action mx.ag.principal.AGClsFinancieroAction and result input
at
com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:377)
~[struts2-core-2.5.18.jar:2.5.18]{code}
The referrercaptura field doesn´t have a setter or getter in the
action(currently it's working fine with Struts 2.3.35), this field is validated
by a custom interceptor.
The tipoCons and tipoSoc fields have their setters and getters in the Action
class.
I have been trying with Struts 2.5.18 and 2.5.20 and OGNL 3.1.18 and 3.1.15 but
the problem is the same.
Thanks in advance
> No more calling of a static variable in Struts 2.8.20 available
> ---
>
> Key: WW-5004
> URL: https://issues.apache.org/jira/browse/WW-5004
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Affects Versions: 2.5.20
> Environment: Java 7.1 and JSP Websites
>Reporter: Deniz Renkligül
>Priority: Critical
> Labels: build, features, patch, usability
> Fix For: 2.5.21, 2.6
>
>
> After the update from Struts 2.5.18 to 2.5.20 it is not more possible to call
> a java static variable in JSP like
> {code:java}
>
> {code}
> Please see for more details the release notes of 2.5.20
> [link
> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.20|https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.20]
> and I tried without success the following description assigned above in the
> release version notes 2.5.20 with :
> {code:java}
>
>
> {code}
> https://issues.apache.org/jira/browse/WW-4984
>
> Thanks in advance for your support.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Resolved] (WW-5012) Make a public state check the first acceptance check in SecurityMemberAccess
[ https://issues.apache.org/jira/browse/WW-5012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Yasser Zamani resolved WW-5012. --- Resolution: Fixed PR got merged, thanks! > Make a public state check the first acceptance check in SecurityMemberAccess > > > Key: WW-5012 > URL: https://issues.apache.org/jira/browse/WW-5012 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Affects Versions: 2.5.20 > Environment: All environments. >Reporter: James Chaplin >Priority: Minor > Labels: performance, security > Fix For: 2.6 > > > During discussion for WW-5004, a recommendation was made by two Apache Struts > Team members to adjust the sequence of calls in the SecurityMemberAccess > module. > The recommendation was to make the member's public state check (e.g. > checkPublicMemberAccess()) the absolute first check made during acceptance > checks). > This improvement would look at implementing this change for the access check > ordering, and any minor enhancements that are applicable to the ordering > change. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (WW-5012) Make a public state check the first acceptance check in SecurityMemberAccess
[ https://issues.apache.org/jira/browse/WW-5012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Yasser Zamani updated WW-5012: -- Fix Version/s: (was: 2.5.21) > Make a public state check the first acceptance check in SecurityMemberAccess > > > Key: WW-5012 > URL: https://issues.apache.org/jira/browse/WW-5012 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Affects Versions: 2.5.20 > Environment: All environments. >Reporter: James Chaplin >Priority: Minor > Labels: performance, security > Fix For: 2.6 > > > During discussion for WW-5004, a recommendation was made by two Apache Struts > Team members to adjust the sequence of calls in the SecurityMemberAccess > module. > The recommendation was to make the member's public state check (e.g. > checkPublicMemberAccess()) the absolute first check made during acceptance > checks). > This improvement would look at implementing this change for the access check > ordering, and any minor enhancements that are applicable to the ordering > change. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (WW-5012) Make a public state check the first acceptance check in SecurityMemberAccess
[ https://issues.apache.org/jira/browse/WW-5012?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16771717#comment-16771717 ] Yasser Zamani commented on WW-5012: --- Works for me :) (y) > Make a public state check the first acceptance check in SecurityMemberAccess > > > Key: WW-5012 > URL: https://issues.apache.org/jira/browse/WW-5012 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Affects Versions: 2.5.20 > Environment: All environments. >Reporter: James Chaplin >Priority: Minor > Labels: performance, security > Fix For: 2.5.21, 2.6 > > > During discussion for WW-5004, a recommendation was made by two Apache Struts > Team members to adjust the sequence of calls in the SecurityMemberAccess > module. > The recommendation was to make the member's public state check (e.g. > checkPublicMemberAccess()) the absolute first check made during acceptance > checks). > This improvement would look at implementing this change for the access check > ordering, and any minor enhancements that are applicable to the ordering > change. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
