czw., 11 sty 2024 o 22:49 Burton Rhodes <burtonrho...@gmail.com> napisał(a):
>
> If I were to guess they removed the "?no_esc" flag in version 6.x in the
> .ftl file. That said, it's easy to override this. (Assuming you are
> using the Struts "simple" template) Locate the file
> [struts2-core-6.3.0.2.jar]\template\simple\radiomap.ftl and copy it
> into your resources directory with the same tree:
> resource\\template\simple\radiomap.ftl
>
> Then towards the end of the ftl file you will see the <label> tag. Just
> add "?no_esc" to the ${itemValue}. Like this...
>
> <label for="${parameters.id}${itemKeyStr?replace(".", "_")}"<#include
> "/${parameters.templateDir}/${parameters.expandTheme}/css.ftl"/>><#rt/>
> ${itemValue?no_esc}<#t/>
> </label>
>
> They most likely removed it due to security issues, but feel free to
> change if you feel it's "safe". I tested the above code and it worked
> for me.
Thanks Burton for the solution! The issue is rather simple, a new
Freemarker version escapes everything automatically, so we had to
unescape everything. Yet in this case there was never ?no_esc flag as
this worked fine with older versions of Freemarker. Adding ?no_esc
shouldn't be a security issue IMHO. Feel free to create a ticket in
JIRA to address this problem.
Cheers
Łukasz
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
