Prevent getText() evaluating EL expressions

Question

In Struts2 backend, I have an action class instance variable, eg: keyName. A dynamic key returned to view(JSP).

This keyName variable is set using a request parameter using POST method. Depending on the request parameter value, the keyName will vary.

In JSP, I am using <s:property value="getText(keyName)" /> to show the label corresponding to the key given by keyName variable.

When I send an EL expression for example ${90-40} to keyName this expression is being evaluated and resulting in showing 50 on the UI.

How can we avoid or prevent such EL injection with getText()?

Is there any other alternative way instead of <s:property value="getText(keyName)" />?

Roman C · Accepted Answer · 2015-08-14T16:36:31.540

You could create your own text provider and register it in struts.xml:

<constant name="struts.xworkTextProvider" value="com.struts.text.MyTextProvier"/>

Now create a class MyTextProvier that extends TextProviderSupport and override getText() methods. All methods take a parameter key as String and you can replace unwanted characters from it. Then call super.getText(). For example

public String getText(String key) {
  return super.getText(key.replaceAll("[\\$\\{\\}]", ""));
}

score 1 · Answer 2 · answered Aug 14 '15 at 12:29

1

Use <s:text name="keyName" />

http://struts.apache.org/docs/text.html

answered Aug 14 '15 at 12:29

Stefan Bartel

190
7

1

The link is broken. – Roman C Sep 10 '21 at 05:35

Prevent getText() evaluating EL expressions

2 Answers2

Linked