Fortify Finding: OGNL Expression Injection: Double Evaluation - struts2

Need some help resolving a Fortify finding of OGNL Expression Injection: Double Evaluation
Here is the code that was flagged:
<tr>
<td align=right><strong>Label Number:</strong></td>
<td><s:textfield name="invForm.labelNumber" id="labelNumber" size="7" maxlength="7"/></td>
</tr>
<tr>

Related

How to display blank data in Thymeleaf in th:text

I am trying to use Thymeleaf if and unless but it is not working. What I am trying to do is I want to check if the statusNm variable has a value of 'Approved' then it will display the content otherwise it will leave it blank.
But I am not able to achieve it. Please suggest me a solution.
<th>Approved Date</th>
<td th:if="${obj.statusNm}=='Approved'" th:text="${obj.modifyDt}"></td>
<td th:unless="${obj.statusNm}" th:text=""></td>
<th>Approved By</th>
<td th:if="${obj.statusNm}=='Approved'" th:text="${obj.modifier}"></td>
<td th:unless="${obj.statusNm}" th:text=""></td>

As the alternative, you may look at Conditional expressions and evaluate your condition directly in th:text attribute ...
<th>Approved Date</th>
<td th:text="${obj.statusNm=='Approved'} ? ${obj.modifyDt}"></td>
<th>Approved By</th>
<td th:text="${obj.statusNm=='Approved'} ? ${obj.modifier}"></td>

The equals check must be inside the curly brackets like this:
<th>Approved Date</th>
<td th:if="${obj.statusNm=='Approved'}" th:text="${obj.modifyDt}"></td>
<td th:unless="${obj.statusNm=='Approved'}" th:text=""></td>

Parallel loops in Thymeleaf

This is my code, it does not work. I know I can not put the loops that, but how should they be to get the logic done
<tr th:each="max:${top3max}", th:each="min:${top3min}">
<td th:text="${max.getName()}"></td>
<td th:text="${min.getName()}"></td>
</tr>

As long as both Lists are the same size, you can loop through one and use the status variable to access the other. Like this:
<tr th:each="max, i: ${top3max}">
<td th:text="${max.getName()}"></td>
<td th:text="${top3min[i.index]}"></td>
</tr>
If you want something more like a traditional for loop, this will work (as long as top3max is a List -- you'll have to use .length instead of .size() if you're dealing with an array.
<tr th:each="i: ${#numbers.sequence(0, top3max.size() - 1)}">
<td th:text="${top3max[i]}"></td>
<td th:text="${top3min[i]}"></td>
</tr>

When do you use th:remove="tag" versus th:block?

The following two blocks would evaluate the same, so when would you use th:remove="tag" over th:block?
<th:block th:text="${myBean.value}">[value]</th:block>
versus
<span th:remove="tag" th:text="${myBean.value}">[value]</span>

Since they can be used interchangeably I think it is opinion based... but for readability, my opinion is:
<th:block /> should be used for doing structural logic (th:if, th:each, etc..) and only when it's not possible on the parent tag. For example, in the case you have to contain more than one element in a loop -- e.g, a loop that produces 2 table rows for each object:
<table>
<th:block th:each="object: ${objects}">
<tr>
<td th:text="${object.data1}" />
<td th:text="${object.data2}" />
</tr>
<tr>
<td th:text="${object.data3}" />
<td th:text="${object.data4}" />
</tr>
</th:block>
<table>
th:remove should only be used for example data that should only be rendered when viewing the file in a browser/prototyping w/o rendering the thymeleaf:
<table>
<th:block th:each="object: ${objects}">
<tr>
<td th:text="${object.data1}" />
<td th:text="${object.data2}" />
</tr>
<tr>
<td th:text="${object.data3}" />
<td th:text="${object.data4}" />
</tr>
</th:block>
<tr th:remove="all">
<td>Mild Cinnamon</td>
<td>1.99</td>
</tr>
<tr th:remove="all">
<td>Other</td>
<td>Data</td>
</tr>
<table>
In the specific case where you want to output data/text without a tag, I prefer inline expressions. They're enabled by default in thymeleaf 3. So:
[[${myBean.value}]] instead of <th:block th:text="${myBean.value}">[value]</th:block>

Is commenting faster than th:remove="all-but-first"?

There's an example in the Thymeleaf docs that I'm curious about.
Is commenting out a block using Thymeleaf-style commenting faster than using th:remove="all-but-first"?
Example:
<table>
<tr th:each="user : ${users}">
<td th:text="${user.name}">Jamie Dimon</td>
</tr>
<!--/* Hidden from evaluation -->
<tr>
<td>Jeff Bezos</td>
</tr>
<tr>
<td>Warren Buffett</td>
</tr>
<!--*/-->
</table>
vs.
<table th:remove="all-but-first">
<tr th:each="user : ${users}">
<td th:text="${user.name}">Jamie Dimon</td>
</tr>
<tr>
<td>Jeff Bezos</td>
</tr>
<tr>
<td>Warren Buffett</td>
</tr>
</table>
In both cases, prototyping would show the same HTML, but I am wondering whether the low precedence of th:remove would make it less desirable since it would be removing the tags after evaluating the th:each.

JSoup to extract particular block from multiple block

I'm new to JSoup and my question here is how do I extract particular text from multiple blocks that share the same class and attributes?
For example here I want to extract the information on 3rd row of the HTML. How do I specified on my JSoup code to extract the information on 3rd row?
<tr>
<td align="center" colspan="2" class="maintitle">Active Stats</td>
</tr>
<tr>
<td class="row2" valign="top"><b>User's local time</b></td>
<td class="row1">Oct 22 2013, 07:23 PM</td>
</tr>
<tr>
<td class="row2" width="30%" valign="top"><b>Total Cumulative Posts</b></td>
<td width="70%" class="row1"><b>4</b>
<br />( 0 posts per day / 0.00% of total forum posts )
</td>
</tr>

Use the CSS-selector syntax to specify what row to select.
Element e = doc.select("tr:eq(2) td.row2").first();
System.out.println(e.text());
will result in
Total Cumulative Posts
A tip is to at least look through the Jsoup documentation before asking questions.
All this can easily be found in the API.
Jsoup - Use selector syntax

Resources