The security problem with the earlier Struts tags was that it was a two pass system. The Container made the first pass through, converting all the JSTL EL references, then the Struts tags got a chance to process the OGNL. So a clever thief could conceivably put something in the system where the container would innocently convert the JSTL EL *into* some not so innocent OGNL. The way around this is to turn off Container evaluation by setting <rtexprvalue>false</rtexprvalue> on all the tags, and processing both OGNL and JSTL EL yourself. This is the code I use for that evaluation. (*Chris*)
/** * Process an Argument using the Value Stack * * @param stack The Value Stack used to process the argument * @param arg The Argument Value * @return The Processed Value */ protected static String processArg (ValueStack stack,String arg) { if(arg != null) { int st,nd; if(((st = arg.lastIndexOf("%{")) != -1) && ((nd = arg.indexOf('}',st)) != -1)) { String value; StringBuilder buf = new StringBuilder(arg); do { if((value = stack.findString(buf.substring(st + 2,nd))) != null) { buf.replace(st,nd + 1,value); } else { buf.delete(st,nd + 1); } } while(((st = buf.lastIndexOf("%{")) != -1) && ((nd = buf.indexOf("}",st)) != -1)); return buf.toString(); } else if(((st = arg.lastIndexOf("${")) != -1) && ((nd = arg.indexOf('}',st)) != -1)) { Object value; StringBuilder buf = new StringBuilder(arg); PageContext pageContext = ((PageContext)stack.getContext().get(StrutsStatics.PAGE_CONTEXT)); ExpressionEvaluator eval = pageContext.getExpressionEvaluator(); VariableResolver var = pageContext.getVariableResolver(); do { try { if((value = eval.evaluate(buf.substring(st,nd + 1),String.class,var,null)) != null) { buf.replace(st,nd + 1,String.valueOf(value)); } else { buf.delete(st,nd + 1); } } catch(ELException x) { buf.delete(st,nd + 1); log.warn("JSP EL Exception",x); } } while(((st = buf.lastIndexOf("${")) != -1) && ((nd = buf.indexOf("}",st)) != -1)); return buf.toString(); } } return arg; } //processArg On Mon, May 11, 2009 at 2:28 PM, cm132005 <cm132...@gmail.com> wrote: > > Thanks for your quick response, Chris. I am just trying to figure out how > is > the tag in the example on > http://struts.apache.org/2.x/docs/access-to-valuestack-from-jsps.html > working. I am trying to implement a custom tag which should evaluate for > both JSTL and OGNL expressions. > > Thanks. > > > Chris Pratt wrote: > > > > As far as #1 is concerned, you can't use JSTL EL (${}) in OGNL tags > (<s:>) > > any longer. That was changed quite a while ago as a security precaution. > > You would have to change those to OGNL EL (%{}) for them to work. > > > > #2 seems to be working as it should with the JSTL Tag. > > > > #3 & #4 seems to indicate you have JSTL EL evaluation turned off in your > > servlet container. > > > > I'm not sure what #5 is supposed to do. > > (*Chris*) > > > > On Mon, May 11, 2009 at 1:32 PM, cm132005 <cm132...@gmail.com> wrote: > > > >> > >> http://struts.apache.org/2.x/docs/access-to-valuestack-from-jsps.htmlhas > >> an > >> example on how to access the ValueStack from JSP. I am not able to get > >> the > >> tag/tld working in this example. > >> > >> <s:set name="a" value="{ 1, 2, 3, 4 }" scope="request"/> > >> 1. a[0] = <s:property value="${x:vs('a[0]')}"/><br> > >> 2. a[0] = <c:out value="${(a[0])}"/><br> > >> 3. a[0] = ${x:vs('a[0]')}<br> > >> 4. Top of ValueStack: ${x:top()}<br> > >> 5. <%=Functions.getTopOfValueStack() %> > >> > >> Output: > >> 1. a[0] = > >> 2. a[0] = 1 > >> 3. a[0] = ${x:vs('a[0]')} > >> 4. Top of ValueStack: ${x:top()} > >> 5. com.abc.xyz.example.exampleact...@197cf78 > >> > >> How does ${x:vs('a[0]')} work? > >> > >> -- > >> View this message in context: > >> > http://www.nabble.com/Access-to-ValueStack-from-JSPs-tp23490987p23490987.html > >> Sent from the Struts - User mailing list archive at Nabble.com. > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > >> For additional commands, e-mail: user-h...@struts.apache.org > >> > >> > > > > > > -- > View this message in context: > http://www.nabble.com/Access-to-ValueStack-from-JSPs-tp23490987p23491838.html > Sent from the Struts - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >