问题描述
在Struts2后端中,我有一个动作类实例变量,例如:keyName
.动态键返回到视图(JSP).
In Struts2 backend, I have an action class instance variable, eg: keyName
. A dynamic key returned to view(JSP).
此keyName
变量是使用POST方法使用请求参数设置的.根据请求参数的值,keyName
会有所不同.
This keyName
variable is set using a request parameter using POST method. Depending on the request parameter value, the keyName
will vary.
在JSP中,我使用<s:property value="getText(keyName)" />
来显示与keyName变量给定的键相对应的标签.
In JSP, I am using <s:property value="getText(keyName)" />
to show the label corresponding to the key given by keyName variable.
当我将EL表达式(例如${90-40}
)发送到keyName
时,该表达式将被评估并在UI上显示50.
When I send an EL expression for example ${90-40}
to keyName
this expression is being evaluated and resulting in showing 50 on the UI.
我们如何避免或防止使用getText()
进行此类EL注入?
How can we avoid or prevent such EL injection with getText()
?
除了<s:property value="getText(keyName)" />
之外,还有其他替代方法吗?
Is there any other alternative way instead of <s:property value="getText(keyName)" />
?
推荐答案
您可以创建自己的文本提供程序并将其注册在struts.xml
中:
You could create your own text provider and register it in struts.xml
:
<constant name="struts.xworkTextProvider" value="com.struts.text.MyTextProvier"/>
现在创建一个扩展TextProviderSupport
并覆盖getText()
方法的类MyTextProvier
.所有方法都将参数key
用作String
,您可以从中替换不需要的字符.然后调用super.getText()
.例如
Now create a class MyTextProvier
that extends TextProviderSupport
and override getText()
methods. All methods take a parameter key
as String
and you can replace unwanted characters from it. Then call super.getText()
. For example
public String getText(String key) {
return super.getText(key.replaceAll("[\\$\\{\\}]", ""));
}
这篇关于防止getText()评估EL表达式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!