struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: best approach to clean parameters using Jsoup
Date Thu, 20 Nov 2014 19:50:24 GMT
Yeah... basically conversion isn't needed in that case ;-)

2014-11-20 15:32 GMT+01:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
> I jsut used the annotation:
>     private String parameterArray[] = null;
>     @TypeConversion(rule=     ConversionRule.COLLECTION, type =
> ConversionType.CLASS, converter = "com.xxx.yyy.util.conversion.
> struts2.JSoupConversor")
>     public void setParameterArray(String parameterArray[]) {
>         this.parameterArray = parameterArray;
>         LOG.debug("parameterArray " +Arrays.toString(parameterArray));
>     }
>
> Anyway, I discovered why it is not used when the parameter is an array of
> String. In the process to look for the apropiate setter for the
> parameter(which is always an array of String), Ognl uses the method
> OgnlRuntime.getAppropriateMethod. This method returns the most appropriate
> setter for the parameter. If it not find it calls
> getConvertedMethodAndArgs, which in turn calls XWorkConverter to convert
> the value, which in turn calls the custom converter. But if there is a
> perfect match for the setter, then XWorkConverter is not used.
>
> In the case of the parameter "parameter", the setter receives a single
> String, and since originally the parameter is an array of String, there is
> no perfect match, and Ognl uses XWorkConverter to do the job. But in the
> case of the parameter "parameterArray" the setter received an array of
> String, so there is a perfect match and therefore XWorkConverter is not
> used, it just calls the setter with the parameter, so the converter is not
> used.
>
> 2014-11-20 7:48 GMT-05:00 Lukasz Lenart <lukaszlenart@apache.org>:
>
>> How did you register it?
>>
>> 2014-11-19 12:55 GMT+01:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
>> > Quick question here. I'm working on the approach to use a custom
>> conversor.
>> > It works fine for standard parameters (Just a String), but I'm having
>> > issues when the getter receives a String[] parameters
>> >
>> >     private String parameter = null;
>> >     @TypeConversion(type = ConversionType.CLASS, converter =
>> > "com.xxx.yyy.util.conversion.struts2.JSoupConversor")
>> >     public void setParameter(String parameter) {
>> >         this.parameter = parameter;
>> >         LOG.debug("simple parameter "+parameter);
>> >     }
>> >
>> >     private String parameterArray[] = null;
>> >     @TypeConversion(rule=     ConversionRule.COLLECTION, type =
>> > ConversionType.CLASS, converter =
>> > "com.xxx.yyy.util.conversion.struts2.JSoupConversor")
>> >     public void setParameterArray(String parameterArray[]) {
>> >         this.parameterArray = parameterArray;
>> >         LOG.debug("parameterArray " +Arrays.toString(parameterArray));
>> >     }
>> >
>> > the JSoupConversor has a minimal implementation of the conversion:
>> >
>> >     public Object convertValue(Map context, Object o, Class toClass) {
>> >         LOG.debug("convertValue "+o);
>> >         return super.convertValue(context,o, toClass);
>> >     }
>> >
>> >     public Object convertFromString(Map context, String[] values, Class
>> > toClass) {
>> >         LOG.debug("convertFromString "+Arrays.toString(values));
>> >         return null;
>> >     }
>> >
>> >     public String convertToString(Map context, Object o) {
>> >         LOG.debug("convertToString " +o);
>> >         if (o != null)
>> >             return o.toString();
>> >         return null;
>> >     }
>> >     protected Object performFallbackConversion(Map context, Object o,
>> Class
>> > toClass) {
>> >         LOG.debug("performFallbackConversion "+o);
>> >         return super.convertValue(context, o, toClass);
>> >     }
>> >
>> > The issue is that it the converter is not being called for the
>> > parameterArray, although the setter is being called. The logs are as
>> > follows:
>> >
>> > com.opensymphony.xwork2.interceptor.ParametersInterceptor  - Setting
>> params
>> > parameter => [ value1 ] parameterArray => *[ value2, value3 ]*
>> >
>> com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor
>> > - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor]
>> with
>> > key: [parameter]
>> >
>> *com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor
>> > - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor]
>> with
>> > key: [parameterArray]*
>> > com.xxx.yyy.util.conversion.struts2.JSoupConversor  - convertValue
>> > [Ljava.lang.String;@1028f08
>> > com.xxx.yyy.util.conversion.struts2.JSoupConversor  - convertToString
>> > [Ljava.lang.String;@1028f08
>> > com.xxx.yyy.modules.test.controller.action.json.TestJSON  - simple
>> > parameter [Ljava.lang.String;@1028f08
>> > com.xxx.yyy.modules.test.controller.action.json.TestJSON  -
>> *parameterArray
>> > [value2, value3]*
>> > com.opensymphony.xwork2.validator.ValidationInterceptor  - Invoking
>> > validate() on action
>> > com.spb.eco.modules.test.controller.action.json.TestJSON@1f4ca39
>> >
>> > So I see the converter being called for parameter, but not for
>> > parameterArray, but the parameterArray is actually being set. What am I
>> > missing?
>> >
>> > Thanks
>> >
>> >
>> > 2014-11-19 6:18 GMT-05:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
>> >
>> >> Thanks for the ideas. Overwriting retrieveParameters(ActionContext ac)
>> >> method seems a good solution, although that would imply doing it to all
>> >> parameters. While that could be ok, I would like to take a less
>> aggressive
>> >> approach.One option I'm considering is to user a custom Converter that
>> >> could take care of this, so I could setup the converter only in those
>> >> parameters I know I need to filter. What do you think?
>> >>
>> >> 2014-11-19 4:57 GMT-05:00 Lukasz Lenart <lukaszlenart@apache.org>:
>> >>
>> >> 2014-11-19 4:57 GMT+01:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
>> >>> > Hello,
>> >>> >   We are using Struts 2.3.16.3 for our application. Due to security
>> >>> > reasons, we need to "clean" the user's input in order to avoid
XSS.
>> We
>> >>> are
>> >>> > using JSoup for that, with success(
>> >>> > http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer).
>> >>> >
>> >>> >   The issues is that we haven't find a really good way to integrate
>> it
>> >>> with
>> >>> > Struts. Basically we need to pass every String parameter through
>> JSoup
>> >>> to
>> >>> > sanitize it, and right now we are doing it manully on the execute
>> >>> method of
>> >>> > the action, after the parameters have been loaded in the action
and
>> >>> > validated. We would like to do it automatically when the parametes
>> are
>> >>> set
>> >>> > in the action. In the normal actions we can do it in the getter,
but
>> >>> some
>> >>> > actions have java beans for parameters, and we don't want to
>> integrate
>> >>> the
>> >>> > Jsoup call in the bean methods. Any suggestions about how to do
this?
>> >>>
>> >>> You can override ParametersInterceptor's
>> >>> retrieveParameters(ActionContext ac) method and then build your custom
>> >>> stack. Or you can develop custom interceptor and put it on the top of
>> >>> your stack and do ActionContext.get/setParameters() in intercept()
>> >>> method.
>> >>>
>> >>>
>> >>> Regards
>> >>> --
>> >>> Ɓukasz
>> >>> + 48 606 323 122 http://www.lenart.org.pl/
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> >>> For additional commands, e-mail: user-help@struts.apache.org
>> >>>
>> >>>
>> >>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message