struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JOSE L MARTINEZ-AVIAL <jlm...@gmail.com>
Subject Re: best approach to clean parameters using Jsoup
Date Wed, 19 Nov 2014 11:55:05 GMT
Quick question here. I'm working on the approach to use a custom conversor.
It works fine for standard parameters (Just a String), but I'm having
issues when the getter receives a String[] parameters

    private String parameter = null;
    @TypeConversion(type = ConversionType.CLASS, converter =
"com.xxx.yyy.util.conversion.struts2.JSoupConversor")
    public void setParameter(String parameter) {
        this.parameter = parameter;
        LOG.debug("simple parameter "+parameter);
    }

    private String parameterArray[] = null;
    @TypeConversion(rule=     ConversionRule.COLLECTION, type =
ConversionType.CLASS, converter =
"com.xxx.yyy.util.conversion.struts2.JSoupConversor")
    public void setParameterArray(String parameterArray[]) {
        this.parameterArray = parameterArray;
        LOG.debug("parameterArray " +Arrays.toString(parameterArray));
    }

the JSoupConversor has a minimal implementation of the conversion:

    public Object convertValue(Map context, Object o, Class toClass) {
        LOG.debug("convertValue "+o);
        return super.convertValue(context,o, toClass);
    }

    public Object convertFromString(Map context, String[] values, Class
toClass) {
        LOG.debug("convertFromString "+Arrays.toString(values));
        return null;
    }

    public String convertToString(Map context, Object o) {
        LOG.debug("convertToString " +o);
        if (o != null)
            return o.toString();
        return null;
    }
    protected Object performFallbackConversion(Map context, Object o, Class
toClass) {
        LOG.debug("performFallbackConversion "+o);
        return super.convertValue(context, o, toClass);
    }

The issue is that it the converter is not being called for the
parameterArray, although the setter is being called. The logs are as
follows:

com.opensymphony.xwork2.interceptor.ParametersInterceptor  - Setting params
parameter => [ value1 ] parameterArray => *[ value2, value3 ]*
com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor
- TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] with
key: [parameter]
*com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor
- TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] with
key: [parameterArray]*
com.xxx.yyy.util.conversion.struts2.JSoupConversor  - convertValue
[Ljava.lang.String;@1028f08
com.xxx.yyy.util.conversion.struts2.JSoupConversor  - convertToString
[Ljava.lang.String;@1028f08
com.xxx.yyy.modules.test.controller.action.json.TestJSON  - simple
parameter [Ljava.lang.String;@1028f08
com.xxx.yyy.modules.test.controller.action.json.TestJSON  - *parameterArray
[value2, value3]*
com.opensymphony.xwork2.validator.ValidationInterceptor  - Invoking
validate() on action
com.spb.eco.modules.test.controller.action.json.TestJSON@1f4ca39

So I see the converter being called for parameter, but not for
parameterArray, but the parameterArray is actually being set. What am I
missing?

Thanks


2014-11-19 6:18 GMT-05:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:

> Thanks for the ideas. Overwriting retrieveParameters(ActionContext ac)
> method seems a good solution, although that would imply doing it to all
> parameters. While that could be ok, I would like to take a less aggressive
> approach.One option I'm considering is to user a custom Converter that
> could take care of this, so I could setup the converter only in those
> parameters I know I need to filter. What do you think?
>
> 2014-11-19 4:57 GMT-05:00 Lukasz Lenart <lukaszlenart@apache.org>:
>
> 2014-11-19 4:57 GMT+01:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
>> > Hello,
>> >   We are using Struts 2.3.16.3 for our application. Due to security
>> > reasons, we need to "clean" the user's input in order to avoid XSS. We
>> are
>> > using JSoup for that, with success(
>> > http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer).
>> >
>> >   The issues is that we haven't find a really good way to integrate it
>> with
>> > Struts. Basically we need to pass every String parameter through JSoup
>> to
>> > sanitize it, and right now we are doing it manully on the execute
>> method of
>> > the action, after the parameters have been loaded in the action and
>> > validated. We would like to do it automatically when the parametes are
>> set
>> > in the action. In the normal actions we can do it in the getter, but
>> some
>> > actions have java beans for parameters, and we don't want to integrate
>> the
>> > Jsoup call in the bean methods. Any suggestions about how to do this?
>>
>> You can override ParametersInterceptor's
>> retrieveParameters(ActionContext ac) method and then build your custom
>> stack. Or you can develop custom interceptor and put it on the top of
>> your stack and do ActionContext.get/setParameters() in intercept()
>> method.
>>
>>
>> Regards
>> --
>> Ɓukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message