Details
-
Improvement
-
Status: Closed
-
Trivial
-
Resolution: Fixed
-
None
Description
- page : https://struts.apache.org/docs/security.html
- spotted typos:
- inside a title
current
Do not defined setters when not needed
fixedDo not define setters when not needed
- inside text under title Do not use incoming values as an input for localisation logic
current
All TextProvider's getText(...) methods (e.g in ActionSupport) performs evaluation of parameters included in a message to properly localize the text. This means using incoming request parameters with getText(...) methods is potentially dangerous and should be avoided. Se example below, assuming that an action implements getter and setter for property message, the below code allows inject an OGNL expression:
fixedAll TextProvider's getText(...) methods (e.g in ActionSupport) perform evaluation of parameters included in a message to properly localize the text. This means using incoming request parameters with getText(...) methods is potentially dangerous and should be avoided. See example below, assuming that an action implements getter and setter for property message, the below code allows inject an OGNL expression:
- inside text under title Accepted / Excluded patterns
current
...to check if param can accepted or must be excluded.
fixed...to check if param can be accepted or must be excluded.
- inside a title