问题描述

在Struts2后端中，我有一个动作类实例变量，例如:keyName.动态键返回到视图(JSP).

In Struts2 backend, I have an action class instance variable, eg: keyName. A dynamic key returned to view(JSP).

此keyName变量是使用POST方法使用请求参数设置的.根据请求参数的值，keyName会有所不同.

This keyName variable is set using a request parameter using POST method. Depending on the request parameter value, the keyName will vary.

在JSP中，我使用<s:property value="getText(keyName)" />来显示与keyName变量给定的键相对应的标签.

In JSP, I am using <s:property value="getText(keyName)" /> to show the label corresponding to the key given by keyName variable.

当我将EL表达式(例如${90-40})发送到keyName时，该表达式将被评估并在UI上显示50.

When I send an EL expression for example ${90-40} to keyName this expression is being evaluated and resulting in showing 50 on the UI.

我们如何避免或防止使用getText()进行此类EL注入?

How can we avoid or prevent such EL injection with getText()?

除了<s:property value="getText(keyName)" />之外，还有其他替代方法吗?

Is there any other alternative way instead of <s:property value="getText(keyName)" />?

推荐答案

您可以创建自己的文本提供程序并将其注册在struts.xml中:

You could create your own text provider and register it in struts.xml:

<constant name="struts.xworkTextProvider" value="com.struts.text.MyTextProvier"/>

现在创建一个扩展TextProviderSupport并覆盖getText()方法的类MyTextProvier.所有方法都将参数key用作String，您可以从中替换不需要的字符.然后调用super.getText().例如

Now create a class MyTextProvier that extends TextProviderSupport and override getText() methods. All methods take a parameter key as String and you can replace unwanted characters from it. Then call super.getText(). For example

public String getText(String key) {
  return super.getText(key.replaceAll("[\\$\\{\\}]", ""));
}

这篇关于防止getText()评估EL表达式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！