The security problem with the earlier Struts tags was that it was a two pass
system.  The Container made the first pass through, converting all the JSTL
EL references, then the Struts tags got a chance to process the OGNL.  So a
clever thief could conceivably put something in the system where the
container would innocently convert the JSTL EL *into* some not so innocent
OGNL.  The way around this is to turn off Container evaluation by setting
<rtexprvalue>false</rtexprvalue> on all the tags, and processing both OGNL
and JSTL EL yourself.  This is the code I use for that evaluation.
  (*Chris*)

  /**
   * Process an Argument using the Value Stack
   *
   * @param stack The Value Stack used to process the argument
   * @param arg The Argument Value
   * @return The Processed Value
   */
  protected static String processArg (ValueStack stack,String arg) {
    if(arg != null) {
      int st,nd;
      if(((st = arg.lastIndexOf("%{")) != -1) && ((nd =
arg.indexOf('}',st)) != -1)) {
        String value;
        StringBuilder buf = new StringBuilder(arg);
        do {
          if((value = stack.findString(buf.substring(st + 2,nd))) != null) {
            buf.replace(st,nd + 1,value);
          } else {
            buf.delete(st,nd + 1);
          }
        } while(((st = buf.lastIndexOf("%{")) != -1) && ((nd =
buf.indexOf("}",st)) != -1));
        return buf.toString();
      } else if(((st = arg.lastIndexOf("${")) != -1) && ((nd =
arg.indexOf('}',st)) != -1)) {
        Object value;
        StringBuilder buf = new StringBuilder(arg);
        PageContext pageContext =
((PageContext)stack.getContext().get(StrutsStatics.PAGE_CONTEXT));
        ExpressionEvaluator eval = pageContext.getExpressionEvaluator();
        VariableResolver var = pageContext.getVariableResolver();
        do {
          try {
            if((value = eval.evaluate(buf.substring(st,nd +
1),String.class,var,null)) != null) {
              buf.replace(st,nd + 1,String.valueOf(value));
            } else {
              buf.delete(st,nd + 1);
            }
          } catch(ELException x) {
            buf.delete(st,nd + 1);
            log.warn("JSP EL Exception",x);
          }
        } while(((st = buf.lastIndexOf("${")) != -1) && ((nd =
buf.indexOf("}",st)) != -1));
        return buf.toString();
      }
    }
    return arg;
  } //processArg



On Mon, May 11, 2009 at 2:28 PM, cm132005 <cm132...@gmail.com> wrote:

>
> Thanks for your quick response, Chris. I am just trying to figure out how
> is
> the tag in the example on
> http://struts.apache.org/2.x/docs/access-to-valuestack-from-jsps.html
> working. I am trying to implement a custom tag which should evaluate for
> both JSTL and OGNL expressions.
>
> Thanks.
>
>
> Chris Pratt wrote:
> >
> > As far as #1 is concerned, you can't use JSTL EL (${}) in OGNL tags
> (<s:>)
> > any longer.  That was changed quite a while ago as a security precaution.
> > You would have to change those to OGNL EL (%{}) for them to work.
> >
> > #2 seems to be working as it should with the JSTL Tag.
> >
> > #3 & #4 seems to indicate you have JSTL EL evaluation turned off in your
> > servlet container.
> >
> > I'm not sure what #5 is supposed to do.
> >   (*Chris*)
> >
> > On Mon, May 11, 2009 at 1:32 PM, cm132005 <cm132...@gmail.com> wrote:
> >
> >>
> >> http://struts.apache.org/2.x/docs/access-to-valuestack-from-jsps.htmlhas
> >> an
> >> example on how to access the ValueStack from JSP. I am not able to get
> >> the
> >> tag/tld working in this example.
> >>
> >> <s:set name="a" value="{ 1, 2, 3, 4 }" scope="request"/>
> >> 1. a[0] = <s:property value="${x:vs('a[0]')}"/><br>
> >> 2. a[0] = <c:out value="${(a[0])}"/><br>
> >> 3. a[0] = ${x:vs('a[0]')}<br>
> >> 4. Top of ValueStack: ${x:top()}<br>
> >> 5. <%=Functions.getTopOfValueStack() %>
> >>
> >> Output:
> >> 1. a[0] =
> >> 2. a[0] = 1
> >> 3. a[0] = ${x:vs('a[0]')}
> >> 4. Top of ValueStack: ${x:top()}
> >> 5. com.abc.xyz.example.exampleact...@197cf78
> >>
> >> How does ${x:vs('a[0]')} work?
> >>
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/Access-to-ValueStack-from-JSPs-tp23490987p23490987.html
> >> Sent from the Struts - User mailing list archive at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> >> For additional commands, e-mail: user-h...@struts.apache.org
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Access-to-ValueStack-from-JSPs-tp23490987p23491838.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

Reply via email to