struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JOSE L MARTINEZ-AVIAL <jlm...@gmail.com>
Subject Re: best approach to clean parameters using Jsoup
Date Thu, 20 Nov 2014 14:32:24 GMT
I jsut used the annotation:
    private String parameterArray[] = null;
    @TypeConversion(rule=     ConversionRule.COLLECTION, type =
ConversionType.CLASS, converter = "com.xxx.yyy.util.conversion.
struts2.JSoupConversor")
    public void setParameterArray(String parameterArray[]) {
        this.parameterArray = parameterArray;
        LOG.debug("parameterArray " +Arrays.toString(parameterArray));
    }

Anyway, I discovered why it is not used when the parameter is an array of
String. In the process to look for the apropiate setter for the
parameter(which is always an array of String), Ognl uses the method
OgnlRuntime.getAppropriateMethod. This method returns the most appropriate
setter for the parameter. If it not find it calls
getConvertedMethodAndArgs, which in turn calls XWorkConverter to convert
the value, which in turn calls the custom converter. But if there is a
perfect match for the setter, then XWorkConverter is not used.

In the case of the parameter "parameter", the setter receives a single
String, and since originally the parameter is an array of String, there is
no perfect match, and Ognl uses XWorkConverter to do the job. But in the
case of the parameter "parameterArray" the setter received an array of
String, so there is a perfect match and therefore XWorkConverter is not
used, it just calls the setter with the parameter, so the converter is not
used.

2014-11-20 7:48 GMT-05:00 Lukasz Lenart <lukaszlenart@apache.org>:

> How did you register it?
>
> 2014-11-19 12:55 GMT+01:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
> > Quick question here. I'm working on the approach to use a custom
> conversor.
> > It works fine for standard parameters (Just a String), but I'm having
> > issues when the getter receives a String[] parameters
> >
> >     private String parameter = null;
> >     @TypeConversion(type = ConversionType.CLASS, converter =
> > "com.xxx.yyy.util.conversion.struts2.JSoupConversor")
> >     public void setParameter(String parameter) {
> >         this.parameter = parameter;
> >         LOG.debug("simple parameter "+parameter);
> >     }
> >
> >     private String parameterArray[] = null;
> >     @TypeConversion(rule=     ConversionRule.COLLECTION, type =
> > ConversionType.CLASS, converter =
> > "com.xxx.yyy.util.conversion.struts2.JSoupConversor")
> >     public void setParameterArray(String parameterArray[]) {
> >         this.parameterArray = parameterArray;
> >         LOG.debug("parameterArray " +Arrays.toString(parameterArray));
> >     }
> >
> > the JSoupConversor has a minimal implementation of the conversion:
> >
> >     public Object convertValue(Map context, Object o, Class toClass) {
> >         LOG.debug("convertValue "+o);
> >         return super.convertValue(context,o, toClass);
> >     }
> >
> >     public Object convertFromString(Map context, String[] values, Class
> > toClass) {
> >         LOG.debug("convertFromString "+Arrays.toString(values));
> >         return null;
> >     }
> >
> >     public String convertToString(Map context, Object o) {
> >         LOG.debug("convertToString " +o);
> >         if (o != null)
> >             return o.toString();
> >         return null;
> >     }
> >     protected Object performFallbackConversion(Map context, Object o,
> Class
> > toClass) {
> >         LOG.debug("performFallbackConversion "+o);
> >         return super.convertValue(context, o, toClass);
> >     }
> >
> > The issue is that it the converter is not being called for the
> > parameterArray, although the setter is being called. The logs are as
> > follows:
> >
> > com.opensymphony.xwork2.interceptor.ParametersInterceptor  - Setting
> params
> > parameter => [ value1 ] parameterArray => *[ value2, value3 ]*
> >
> com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor
> > - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor]
> with
> > key: [parameter]
> >
> *com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor
> > - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor]
> with
> > key: [parameterArray]*
> > com.xxx.yyy.util.conversion.struts2.JSoupConversor  - convertValue
> > [Ljava.lang.String;@1028f08
> > com.xxx.yyy.util.conversion.struts2.JSoupConversor  - convertToString
> > [Ljava.lang.String;@1028f08
> > com.xxx.yyy.modules.test.controller.action.json.TestJSON  - simple
> > parameter [Ljava.lang.String;@1028f08
> > com.xxx.yyy.modules.test.controller.action.json.TestJSON  -
> *parameterArray
> > [value2, value3]*
> > com.opensymphony.xwork2.validator.ValidationInterceptor  - Invoking
> > validate() on action
> > com.spb.eco.modules.test.controller.action.json.TestJSON@1f4ca39
> >
> > So I see the converter being called for parameter, but not for
> > parameterArray, but the parameterArray is actually being set. What am I
> > missing?
> >
> > Thanks
> >
> >
> > 2014-11-19 6:18 GMT-05:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
> >
> >> Thanks for the ideas. Overwriting retrieveParameters(ActionContext ac)
> >> method seems a good solution, although that would imply doing it to all
> >> parameters. While that could be ok, I would like to take a less
> aggressive
> >> approach.One option I'm considering is to user a custom Converter that
> >> could take care of this, so I could setup the converter only in those
> >> parameters I know I need to filter. What do you think?
> >>
> >> 2014-11-19 4:57 GMT-05:00 Lukasz Lenart <lukaszlenart@apache.org>:
> >>
> >> 2014-11-19 4:57 GMT+01:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
> >>> > Hello,
> >>> >   We are using Struts 2.3.16.3 for our application. Due to security
> >>> > reasons, we need to "clean" the user's input in order to avoid XSS.
> We
> >>> are
> >>> > using JSoup for that, with success(
> >>> > http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer).
> >>> >
> >>> >   The issues is that we haven't find a really good way to integrate
> it
> >>> with
> >>> > Struts. Basically we need to pass every String parameter through
> JSoup
> >>> to
> >>> > sanitize it, and right now we are doing it manully on the execute
> >>> method of
> >>> > the action, after the parameters have been loaded in the action and
> >>> > validated. We would like to do it automatically when the parametes
> are
> >>> set
> >>> > in the action. In the normal actions we can do it in the getter, but
> >>> some
> >>> > actions have java beans for parameters, and we don't want to
> integrate
> >>> the
> >>> > Jsoup call in the bean methods. Any suggestions about how to do this?
> >>>
> >>> You can override ParametersInterceptor's
> >>> retrieveParameters(ActionContext ac) method and then build your custom
> >>> stack. Or you can develop custom interceptor and put it on the top of
> >>> your stack and do ActionContext.get/setParameters() in intercept()
> >>> method.
> >>>
> >>>
> >>> Regards
> >>> --
> >>> Ɓukasz
> >>> + 48 606 323 122 http://www.lenart.org.pl/
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >>> For additional commands, e-mail: user-help@struts.apache.org
> >>>
> >>>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message