Chris Pratt wrote:
I don't know about other containers, but this works great on Resin. I
do it today.
Glad to learn I'm wrong! So the plugable EL version of the struts tags
should all be able to work with the same .tld, with rtexprvalue set to
false everywhere, and the tag attributes that s
On Thu, Mar 6, 2008 at 4:59 PM, Dale Newfield <[EMAIL PROTECTED]> wrote:
> Chris Pratt wrote:
> > The proposed flow (with false
> The bit you're missing is that if you have a tag attribute with
> rtexprvalue set to false that contains what the container thinks is an
> EL expression (i.e., "${fo
Dale Newfield wrote:
Chris Pratt wrote:
The proposed flow (with false
The bit you're missing is that if you have a tag attribute with
rtexprvalue set to false that contains what the container thinks is an
EL expression (i.e., "${foo}"), the jsp compilation will fail, so it
will never execute
Chris Pratt wrote:
The proposed flow (with false
The bit you're missing is that if you have a tag attribute with
rtexprvalue set to false that contains what the container thinks is an
EL expression (i.e., "${foo}"), the jsp compilation will fail, so it
will never execute and pass the string "
--- Chris Pratt <[EMAIL PROTECTED]> wrote:
> * The struts tag first parses the attribute looking for "${", if it is
> found it uses the JSP EL API to evaluate the value for the attribute.
> If it is not found, it is assumed to be OGNL and processed just like
> today.
Oh, gotcha. Re-meh.
Dave
--
On Thu, Mar 6, 2008 at 4:27 PM, Dave Newton <[EMAIL PROTECTED]> wrote:
> --- Chris Pratt <[EMAIL PROTECTED]> wrote:
>
> > today). My proposed change would be at the point where the attribute
> > is evaluated (I have no idea where that happens within the struts
> > component framework). Before p
--- Chris Pratt <[EMAIL PROTECTED]> wrote:
> today). My proposed change would be at the point where the attribute
> is evaluated (I have no idea where that happens within the struts
> component framework). Before processing the attribute it should first
> be checked to see if it contains JSTL EL
On Thu, Mar 6, 2008 at 10:25 AM, Dave Newton <[EMAIL PROTECTED]> wrote:
> --- Chris Pratt <[EMAIL PROTECTED]> wrote:
> > Only if we allow the container to process the JSTL EL. If we turn the
> > container off and process the JSTL EL inside of the Struts tag
> > library, the security hole vanish
David Durham, Jr. wrote:
On Thu, Mar 6, 2008 at 2:42 PM, Brian Pontarelli <[EMAIL PROTECTED]> wrote:
You can't put things into Maps that have wildcards. The compiler
complains because Object really isn't '?'. Although most language
pragmatist would tell you it is. But the language zealots
On Thu, Mar 6, 2008 at 2:42 PM, Brian Pontarelli <[EMAIL PROTECTED]> wrote:
> You can't put things into Maps that have wildcards. The compiler
> complains because Object really isn't '?'. Although most language
> pragmatist would tell you it is. But the language zealots say otherwise,
> and tho
Bob Tiernay wrote:
If adding a jstl enabled tld is because it's "dangerous" with ognl expression use, then
make the uri: "struts-dangerous"! If it's because there is a process issue, lets discuss
:)
Bob
Process issue : an APT task automatically generates the TLD using
annotations on ea
That's what I wass looking for!!!
:-)
Felipe
Antonio Petrelli-3 wrote:
>
> Sorry if I come up now, but there is an effort to create a EL plugin
> for Struts 2.1.x:
> http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin/
> http://svn.apache.org/repos/asf/struts/sandbox/trun
Correct me if I'm wrong but I believe that restricts the map to only
accepting values that are exactly Object. It will not allow things
that extend Object, only Object themselves. You could use:
Map
Which is just a long-hand way of saying:
May
You can't put things into Maps that have wil
There are two discussions going on here that could probably be split:
1. OGNL vs. JUEL
2. Taglibs
#1 has already come up a number of times and I believe that there is
enough support to move the JUEL plugin forward and start removing OGNL
once a roadmap is clear. The wiki page Dale pointed to i
thanks I'll check it...
Il giorno 06/mar/08, alle ore 19:49, Antonio Petrelli ha scritto:
Sorry if I come up now, but there is an effort to create a EL plugin
for Struts 2.1.x:
http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin/
http://svn.apache.org/repos/asf/struts/sandb
Sorry if I come up now, but there is an effort to create a EL plugin
for Struts 2.1.x:
http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin/
http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin-example/
If you want EL support back, please contribute to this sa
Il giorno 06/mar/08, alle ore 19:04, Dale Newfield ha scritto:
Andrea Vettori wrote:
That's true but should't the app do some input checking ?
What you're suggesting is that we make this framework vulnerable to
poorly written applications? I'd say the framework should be
written so that
--- Chris Pratt <[EMAIL PROTECTED]> wrote:
> Only if we allow the container to process the JSTL EL. If we turn the
> container off and process the JSTL EL inside of the Struts tag
> library, the security hole vanishes.
So does my ability to use ${narnar} inside a JSP page, no? That's not
somethin
Andrea Vettori wrote:
That's true but should't the app do some input checking ?
What you're suggesting is that we make this framework vulnerable to
poorly written applications? I'd say the framework should be written so
that even poorly written applications can't compromise it.
It's the s
Chris Pratt wrote:
Only if we allow the container to process the JSTL EL. If we turn the
container off and process the JSTL EL inside of the Struts tag
library, the security hole vanishes.
Right--if you replace OGNL with EL in struts, the security issues that
come from executing both go away.
On Thu, Mar 6, 2008 at 9:37 AM, Dale Newfield <[EMAIL PROTECTED]> wrote:
> Andrea Vettori wrote:
> > can someone explain why it's bad practice to do something like this in a
> > jsp page :
> >
> >
> >
>
> Because the value of ${result} will then be evaluated as an OGNL expression.
>
> So l
That's true but should't the app do some input checking ?
It's the same as SQL injection...
Il giorno 06/mar/08, alle ore 18:37, Dale Newfield ha scritto:
Andrea Vettori wrote:
can someone explain why it's bad practice to do something like this
in a jsp page :
Because the value of ${res
Andrea Vettori wrote:
can someone explain why it's bad practice to do something like this in a
jsp page :
Because the value of ${result} will then be evaluated as an OGNL expression.
So let's say this sometaglib:sometag tag finds the current user's
username and sticks it in the var attribu
>But we have that situation in most pages that we develop. Since the
>Struts tags are not all encompassing, we must supplement our framework
>with other tags, like DisplayTag and other standard JSP tags. So,
>allowing the full use of JUEL (or JSTL EL) in the Struts tags,
>actually reduces confus
Ok...
I agree with you now. Would be really nice just have EL that should be a
unified expression language.
Maybe improve EL using OGNL concepts would be nice too, but not have both
(OGNL and EL) in the same logic.
The problem is that OGNL is in the heart of Struts2. We just can't take it
out, or
On Thu, Mar 6, 2008 at 8:43 AM, Andrea Vettori <[EMAIL PROTECTED]> wrote:
> My point is that there are many jsp tag libraries out there. For
> example, I've developed and I'm mantaining four big ecommerce sites
> with struts2 and some taglibs. But I'm using 2.0.8 since in many jsp
> pages I've u
On Thu, Mar 6, 2008 at 7:51 AM, Felipe Rodrigues <[EMAIL PROTECTED]> wrote:
>
> Your suggestion for question 1 is good, since we have more description on
> struts documentation.
>
> The 2 point is the most important, from my view.
> Use JSP EL in Struts2 tag is not a best pratice. Match these k
My point is that there are many jsp tag libraries out there. For
example, I've developed and I'm mantaining four big ecommerce sites
with struts2 and some taglibs. But I'm using 2.0.8 since in many jsp
pages I've used EL in struts tags.
I think that bad practice is using request variables int
In this way there is not bad pratice visible.
Imagine the situation:
> http://www.nabble.com/Issue-WW-2107-question---Is-JSTL-disable-or-not--tp15830208p15877164.html
Sent from the Struts - Dev mailing list archive at Nabble.com.
--
Please ask this question on the struts-user list. The struts-dev forum
regards the development of Struts itself.
Thanks,
Dave
--- phowells <[EMAIL PROTECTED]> wrote:
> Using Struts 1.3.x and I have this problem with error messages be displayed
> after moving from one page to another.
>
> I use
Hi,
can someone explain why it's bad practice to do something like this in
a jsp page :
The 2 point is the most important, from my view.
Use JSP EL in Struts2 tag is not a best pratice. Match these kind of
languages could make the code confuse to be maintained. Sometimes
you use
OGNL, ot
Same problem happens in 2.0.11. We have fixed this particular problem by
creating the freemarker.properties as described on the performance tuning
page (http://struts.apache.org/2.0.11/docs/performance-tuning.html)
Note that we had a similar problem with *-conversion.properties files. If
you enco
Your suggestion for question 1 is good, since we have more description on
struts documentation.
The 2 point is the most important, from my view.
Use JSP EL in Struts2 tag is not a best pratice. Match these kind of
languages could make the code confuse to be maintained. Sometimes you use
OGNL, oth
FYI:
Over the period of a year I gradually moved a medium size code base 450
Classes to Generics.
Towards the very end I started to trust IntelliJ 7s Automated
Generification for blocks of code.
I believe it can change a whole code base over with a click of a button,
though I haven't used it.
Using Struts 1.3.x and I have this problem with error messages be displayed
after moving from one page to another.
I use the validate method in the form class and here is where the problem
occurs.
I use java script to set a the value of button on the form so that we can
check if next was set
1. can be addressed by tld/tag description elements in the tld that show up in
modern IDEs.
Is 2. really a problem? Sorry, I didn't really understand.
Bob
> Bob,
>
> I see 2 problems.
> First, there should be a very clear explanation about this
> "struts-dangerous", telling the risk of use JST
Bob,
I see 2 problems.
First, there should be a very clear explanation about this
"struts-dangerous", telling the risk of use JSTL in struts tags. Also, I
think the static calls by OGNL should be disabled, and maybe it represents a
refactor anyway. The good point is that you can enable static acc
You are right about he.
> --- Antonio Petrelli <[EMAIL PROTECTED]> wrote:> > 2008/3/6, Bob Tiernay
> <[EMAIL PROTECTED]>:> > > With each new struts release, I need to extract the
> tld and update it.> > > > You don't need it, if you put the Struts 2 JARs in
> /WEB-INF/lib and refer> > to tagl
2008/3/6, Giovanni Azua <[EMAIL PROTECTED]>:
>
> hi Antonio,
>
> Is it required to be officially a contributor to volunteer? I am very
> tempted :)
>
> Any time frame in mind? I can not look yet while in the office.
Just post patches in the previously mentioned issues, and there is no time
frame
--- Antonio Petrelli <[EMAIL PROTECTED]> wrote:
> 2008/3/6, Bob Tiernay <[EMAIL PROTECTED]>:
> > With each new struts release, I need to extract the tld and update it.
>
> You don't need it, if you put the Struts 2 JARs in /WEB-INF/lib and refer
> to taglibs this way:
> <%@ taglib uri="/struts-ta
hi Antonio,
Is it required to be officially a contributor to volunteer? I am very
tempted :)
Any time frame in mind? I can not look yet while in the office.
best regards,
Giovanni
Antonio Petrelli wrote:
2008/3/5, Wes Wannemacher <[EMAIL PROTECTED]>:
Go ahead and start a JIRA
Her
2008/3/5, Wes Wannemacher <[EMAIL PROTECTED]>:
> Go ahead and start a JIRA
Here they are:
http://jira.opensymphony.com/browse/XW-615
https://issues.apache.org/struts/browse/WW-2537
I have no time at the moment for working on it (I'm working for Tiles
too, you know...), so if anyone else wants to
2008/3/6, Chris Pratt <[EMAIL PROTECTED]>:
>
> Correct me if I'm wrong but I believe that restricts the map to only
> accepting values that are exactly Object.
Well, yes and no...
It restricts the maps to be used that have exactly the type:
Map
But it does not mean that you cannot use as a value
On Thu, Mar 6, 2008 at 12:15 AM, Antonio Petrelli
<[EMAIL PROTECTED]> wrote:
> 2008/3/6, Chris Pratt <[EMAIL PROTECTED]>:
>
> >
> > On Wed, Mar 5, 2008 at 2:57 PM, Wes Wannemacher <[EMAIL PROTECTED]> wrote:
> > > If you are going to parameterize the collections that are
> > > used, you will fi
2008/3/6, Bob Tiernay <[EMAIL PROTECTED]>:
>
> With each new struts release, I need to extract the tld and update it.
You don't need it, if you put the Struts 2 JARs in /WEB-INF/lib and refer
to taglibs this way:
<%@ taglib uri="/struts-tags" prefix="s" %>
Antonio
2008/3/6, Chris Pratt <[EMAIL PROTECTED]>:
>
> On Wed, Mar 5, 2008 at 2:57 PM, Wes Wannemacher <[EMAIL PROTECTED]> wrote:
> > If you are going to parameterize the collections that are
> > used, you will find that not all of them can be parameterized (such as
> > the Map that represents the HTTP
46 matches
Mail list logo
