struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yasser Zamani (JIRA)" <>
Subject [jira] [Commented] (WW-5022) Struts 2.6 escaping behaviour change for s:a (anchor) tag
Date Wed, 20 Feb 2019 07:17:00 GMT


Yasser Zamani commented on WW-5022:

What is the philosophy that auto-escaping is a critical need?! If there aren't, and as it
looks like a huge behavioral change, then let disable auto-escaping. I myself, as a user/developer,
prefer flexibility against security - I myself should care!

> Struts 2.6 escaping behaviour change for s:a (anchor) tag
> ---------------------------------------------------------
>                 Key: WW-5022
>                 URL:
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.6
>         Environment: Tomcat 7.0, 8.5 using Java 8 and 11.
>            Reporter: James Chaplin
>            Priority: Major
>             Fix For: 2.6
> While interacting with the current 2.6 Showcase application I recently noticed that+
the "Home" glyph icon was not displaying correctly+.  Instead of the icon, +the page displayed
the body content literally in the browser+.  Checking the page source (view source in browser)
it turns out the body content of the tag was HTML-escaped.  I double-checked and this does
not happen to Struts 2.5.21 (snapshot) or older 2.6 Showcase apps.
> This behaviour might affect other tags, but +it was noticed and confirmed with "s:a"+
(the JSP anchor tag).
> After some digging (using older commits from GitHub and building the 2.6 Showcase app
from them) it appears the automatic body escaping did not occur prior to January 2nd 2019,
but was introduced with one of the multiple commits applied on January 3rd 2019.
> It could be an interaction between earlier mid-December 2018 commits that changed the
Freemarker configuration version in FreemarkerManager (Configuration.VERSION_2_3_0) to a new
one (Configuration.VERSION_2_3_28), combined with the January 3rd commits.  Couldn't find
the exact cause, but perhaps one of the Struts Team might be able to do so.
> Given the original/old behaviour +it seems that auto-escaping the tag body might be a

This message was sent by Atlassian JIRA

View raw message