The security problem with the earlier Struts tags was that it was a two pass
system. The Container made the first pass through, converting all the JSTL
EL references, then the Struts tags got a chance to process the OGNL. So a
clever thief could conceivably put something in the system where the
container would innocently convert the JSTL EL *into* some not so innocent
OGNL. The way around this is to turn off Container evaluation by setting
<rtexprvalue>false</rtexprvalue> on all the tags, and processing both OGNL
and JSTL EL yourself. This is the code I use for that evaluation.
(*Chris*)
/**
* Process an Argument using the Value Stack
*
* @param stack The Value Stack used to process the argument
* @param arg The Argument Value
* @return The Processed Value
*/
protected static String processArg (ValueStack stack,String arg) {
if(arg != null) {
int st,nd;
if(((st = arg.lastIndexOf("%{")) != -1) && ((nd =
arg.indexOf('}',st)) != -1)) {
String value;
StringBuilder buf = new StringBuilder(arg);
do {
if((value = stack.findString(buf.substring(st + 2,nd))) != null) {
buf.replace(st,nd + 1,value);
} else {
buf.delete(st,nd + 1);
}
} while(((st = buf.lastIndexOf("%{")) != -1) && ((nd =
buf.indexOf("}",st)) != -1));
return buf.toString();
} else if(((st = arg.lastIndexOf("${")) != -1) && ((nd =
arg.indexOf('}',st)) != -1)) {
Object value;
StringBuilder buf = new StringBuilder(arg);
PageContext pageContext =
((PageContext)stack.getContext().get(StrutsStatics.PAGE_CONTEXT));
ExpressionEvaluator eval = pageContext.getExpressionEvaluator();
VariableResolver var = pageContext.getVariableResolver();
do {
try {
if((value = eval.evaluate(buf.substring(st,nd +
1),String.class,var,null)) != null) {
buf.replace(st,nd + 1,String.valueOf(value));
} else {
buf.delete(st,nd + 1);
}
} catch(ELException x) {
buf.delete(st,nd + 1);
log.warn("JSP EL Exception",x);
}
} while(((st = buf.lastIndexOf("${")) != -1) && ((nd =
buf.indexOf("}",st)) != -1));
return buf.toString();
}
}
return arg;
} //processArg
On Mon, May 11, 2009 at 2:28 PM, cm132005 <[email protected]> wrote:
>
> Thanks for your quick response, Chris. I am just trying to figure out how
> is
> the tag in the example on
> http://struts.apache.org/2.x/docs/access-to-valuestack-from-jsps.html
> working. I am trying to implement a custom tag which should evaluate for
> both JSTL and OGNL expressions.
>
> Thanks.
>
>
> Chris Pratt wrote:
> >
> > As far as #1 is concerned, you can't use JSTL EL (${}) in OGNL tags
> (<s:>)
> > any longer. That was changed quite a while ago as a security precaution.
> > You would have to change those to OGNL EL (%{}) for them to work.
> >
> > #2 seems to be working as it should with the JSTL Tag.
> >
> > #3 & #4 seems to indicate you have JSTL EL evaluation turned off in your
> > servlet container.
> >
> > I'm not sure what #5 is supposed to do.
> > (*Chris*)
> >
> > On Mon, May 11, 2009 at 1:32 PM, cm132005 <[email protected]> wrote:
> >
> >>
> >> http://struts.apache.org/2.x/docs/access-to-valuestack-from-jsps.htmlhas
> >> an
> >> example on how to access the ValueStack from JSP. I am not able to get
> >> the
> >> tag/tld working in this example.
> >>
> >> <s:set name="a" value="{ 1, 2, 3, 4 }" scope="request"/>
> >> 1. a[0] = <s:property value="${x:vs('a[0]')}"/><br>
> >> 2. a[0] = <c:out value="${(a[0])}"/><br>
> >> 3. a[0] = ${x:vs('a[0]')}<br>
> >> 4. Top of ValueStack: ${x:top()}<br>
> >> 5. <%=Functions.getTopOfValueStack() %>
> >>
> >> Output:
> >> 1. a[0] =
> >> 2. a[0] = 1
> >> 3. a[0] = ${x:vs('a[0]')}
> >> 4. Top of ValueStack: ${x:top()}
> >> 5. com.abc.xyz.example.exampleact...@197cf78
> >>
> >> How does ${x:vs('a[0]')} work?
> >>
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/Access-to-ValueStack-from-JSPs-tp23490987p23490987.html
> >> Sent from the Struts - User mailing list archive at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [email protected]
> >> For additional commands, e-mail: [email protected]
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Access-to-ValueStack-from-JSPs-tp23490987p23491838.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
