I want to know if there is a way to download the generated HTML from a Struts2 action (the final HTML after processing the jsp), using the normal result types. I don't want de page to be displayed, but instead to download it.
What I have tried:
<result name="success" type="stream">
<param name="location">/jsp/dummy.jsp</param>
<param name="contentType">application/text</param>
<param name="contentDisposition">attachment; filename="page.html"</param>
</result>
I donĀ“t want to use something like:
UrlReader.read("generateHTMLAction")
and putting that in an input stream, because I'm having some encoding issues.
Any idea will be apreciated.
Thank you everyone.
The handling of the returned response is mostly determined by HTTP headers and how they are interpreted by the browser. So, you can use the standard dispatcher result type and a JSP, as far as I know. You can use JSP directives to set the appropriate HTTP headers to make the browser treat the response payload in whatever manner you like.
I'm not aware IF or HOW this can be accomplished;
what I can say to you is that:
it does not exist any location param here: it is from other result types (DispatchResult, FreeMarker, etc), not from Stream type. Nice try, but I'm pretty sure there is nothing out-of-the-box among Struts2 result types that fits your needs;
You can't use Interceptor's PreResultListener feature, because it works on the final Result but before it is rendered, then jump off the Interceptors completely;
My 2 cents:
IF you want to do this for debug purpose, and not programmatically, and then the real problem is that you can't use View Source browser's feature because the result is already "contaminated" by the browser parsing, THEN you can try to use the PlainText result type (untested, it's just an idea, I've never used it), to get the raw content of the JSP eventually setting your charSet, and then read the raw JSP with an appropriate editor (Eclipse, Notepad++, etc).
Related
I'm not clear of when (or if) I should use multiple Grails encodeAsXXX calls.
This reference says you need to encodeAsURL and then encodeAsJavaScript: http://grailsrocks.com/blog/2013/4/19/can-i-pwn-your-grails-application
It also says you need to encodeAsURL and then encodeAsHTML, I don't understand why this is necessary in the case shown but not all the time?
Are there other cases I should me using multiple chained encoders?
If I'm rendering a URL to a HTML attribute should I encodeAsURL then encodeAsHTML?
If I'm rendering a URL to a JavaScript variable sent as part of a HTML document (via a SCRIPT element) should I encodeAsURL, encodeAsJavaScript then encodeAsHTML?
If I'm rendering a string to a JavaScript variable sent as part of a HTML document should I encodeAsJavaScript then encodeAsHTML?
The official docs - https://docs.grails.org/latest/guide/security.html - don't show any examples of multiple chained encoders.
I can't see how I can understand what to do here except by finding the source for all the encoders and looking at what they encode and what's valid on the receiving end - but I figure it shouldn't be that hard for a developer and there is probably something simple I'm missing or some instructions I haven't found.
FWIW, I think the encoders I'm talking about are these ones:
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/util/JavaScriptUtils.html#javaScriptEscape-java.lang.String-
https://docs.oracle.com/javase/7/docs/api/java/net/URLEncoder.html#encode(java.lang.String,%20java.lang.String)
https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/util/HtmlUtils.html#htmlEscape-java.lang.String-
.
It is certainly important to always consider XSS but in reading your question I think you are overestimating what you need to do. As long as you're using Grails 2.3 or higher and your grails.views.default.codec is set to html which it will be by default, everything rendered in your GSP with ${} will be escaped properly for you.
It is only when you are intentionally bypassing the escaping, such as if you need to get sanitized user input back into valid JavaScript within your GSP for some reason, that you would need to use the encodeAsXXX methods or similar.
I would argue (and the article makes a mention of this as well) that this should raise a smell anyway, as you probably should have that JavaScript encapsulated in a different file or TagLib where the escaping is handled.
Bottom line, use the encoding methods only if you are overriding the default HTML encoding, otherwise ${} handles it for you.
I have in my browser.xul code,what I am tyring to is to fetch data from an html file and to insert it into my div element.
I am trying to use div.innerHTML but I am getting an exception:
Component returned failure code: 0x804e03f7
[nsIDOMNSHTMLElement.innerHTML]
I tried to parse the HTML using Components.interfaces.nsIScriptableUnescapeHTML and to append the parsed html into my div but my problem is that style(attribute and tag) and script isn`t parsed.
First a warning: if your HTML data comes from the web then you are trying to build a security hole into your extension. HTML code from the web should never be trusted (even when coming from your own web server and via HTTPS) and you should really use nsIScriptableUnescapeHTML. Styles should be part of your extension, using styles from the web isn't safe. For more information: https://developer.mozilla.org/En/Displaying_web_content_in_an_extension_without_security_issues
As to your problem, this error code is NS_ERROR_HTMLPARSER_STOPPARSING which seems to mean a parsing error. I guess that you are trying to feed it regular HTML code rather than XHTML (which would be XML-compliant). Either way, a better way to parse XHTML code would be DOMParser, this gives you a document that you can then insert into the right place.
If the point is really to parse HTML code (not XHTML) then you have two options. One is using an <iframe> element and displaying your data there. You can generate a data: URL from your HTML data:
frame.src = "data:text/html;charset=utf-8," + encodeURIComponent(htmlData);
If you don't want to display the data in a frame you will still need a frame (can be hidden) that has an HTML document loaded (can be about:blank). You then use Range.createContextualFragment() to parse your HTML string:
var range = frame.contentDocument.createRange();
range.selectNode(frame.contentDocument.documentElement);
var fragment = range.createContextualFragment(htmlData);
XML documents don't have innerHTML, and nsIScriptableUnescapeHTML is one way to get the html parsed but it's designed for uses where the HTML might not be safe; as you've found out it throws away the script nodes (and a few other things).
There are a couple of alternatives, however. You can use the responseXML property, although this may be suboptimal unless you're receiving XHTML content.
You could also use an iframe. It may seem old-fashioned, but an iframe's job is to take a url (the src property) and render the content it receives, which necessarily means parsing it and building a DOM. In general, when an extension running as chrome does this, it will have to take care not to give the remote content the same chrome privilages. Luckily that's easily managed; just put type="content" on the iframe. However, since you're looking to import the DOM into your XUL document wholesale, you must have already ensured that this remote content will always be safe. You're evidently using an HTTPS connection, and you've taken extra care to verify the identity of the server by making sure it sends the right certificate. You've also verified that the server hasn't been hacked and isn't delivering malicious content.
I want to get the current request uri from inside a jsp page in a struts2 webapp. I can do this in an action using the following:
ServletActionContext.getRequest().getRequestURI()
... and I supposed technically I could then create a property of the action that just returns that value but I would rathern not write it into the action, is there a way I can access the same value in a jsp using an ognl expression?
EDIT:
After a bit more playing about I have realised that even if I can get the HttpServletRequest.getRequestURI() value in the jsp page by the time I get it, it will have changed to the path of the jsp not the original request URI so will not be what I want.
So instead what I have done is write an interceptor that grabs the value early on before the request is dispatched to the jsp file and then save it in the value stack which I can then refer to it in the jsp. This may be the only solution but if anyone knows different then do enlighten me.
<s:url/>
This question Tiles2 Struts Switch Locale shows an application of the tag and shows how to maintain the parameters on the url (which might be useful for later).
hi all,
i want to make localization feature in a website written in struts 2. as far as i know, the standard way of doing so is using get in the following manner:
http://.../namespace/action_name?request_locale=<locale code>
however, my boss doesn't like such hairy url. instead, i'm required to write it in the following manner:
http://.../namespace/a_param/<locale code>/another_param...
i tried to change the action mapping in my struts.xml into something like
<action name="*/*..." ... >
<param name="locale">{2}</param>
...
</action>
it doesn't work
after i changed it into
<action name="*/*..." ...>
<param name="request_locale">{2}</param>
...
</action>
it doesn't work either T_T
by the way, i know there is trick of putting ActionContext.getContext().setLocale(new Locale(...)); in action which basically change the locale for that instance. however, it seems that the effect will only be transient (in contrast, i18n saves the chosen locale in session, which basically makes it quite persistent.
so, how to change the locale by embedding the locale code in the url?
Your help is highly appreciated =D
I have not done much with locals but i18n should automatically determine the correct local from the browser via the headers, there is no need for anything to be in the url. As long as there is a language bundle for the particular locale it will try to pull properties from that file.
This page shows an example of using basic i18n (only looked at it for a moment, personally I always start at http://struts.apache.org/2.x/ but the tutorial/guides are a bit dry.
Why do you need to refer to anything in the url at all concerning language? Personally if the user did want to override the default locale I would provide some form of control (menu) to do so. Then I would set a variable in session then I would create an interceptor which would call setLocale on the action using the local parameter on the session (if there is a value set of course). This way there would not be any need to embed parameters into individual pages and the local is out of the url all together.
There is a way to do what you want with the url... Something to do with conventions and slashes in allowing slashes in the action name I think. I'll post back if I remember. But I think the above is generally a better approach anyways.
Edit: Taking into consideration what you are trying to accomplish I can see two very different solutions.
1) You can use a proxy, the incoming URL www.example.com/en/ and www.example.com/fr/ can be mapped to different web applications or even the same web application but the url is re-written into a form that suites your application. Tools that can do this include: iptables, apache mod_rewrite, squid... and a multitude of others. This type of solution is more valuable if you handle multiple ip addressses/urls/applications on one server.
2) You can set the struts2 property struts.enable.SlashesInActionNames then using wildcards you can do something like:
<action name="*/*">
<result>/WEB-INF/content/{1}/{2}.jsp</result>
<action>
You can also pass parameters to actions each asterisk found in the action name becomes {1}, {2}, etc. It sounds like you might need this feature. If someone else knows it escapes me at the moment how you would capture parts of the url like this with struts2-conventions-plugin so the action can make use of them I would find that interesting.
#Quaternion
basically the intention is that, the website has several national "sub-website". based on user's ip address, he/she will be redirected to the national "sub-website". it's like when you open www.google.com, you may be redirected to www.google.com.country_domain.
each national "sub-website" has several languages, with 1 default language. it's just like when you open google israel website, by default you will see a website written in hebrew language, although you can override this default choice by choosing it to be in english.
in my planned website, following isreal website and hebrew language example, it is supposed to be like this:
the user is in israel
he is opening www.abcdef.com
the server is recognizing that the client is in israel. there are 3 languages can be chosen for the israel "sub-website": hebrew, arabian, english. the default one is hebrew, but client can override this choice
the user is then redirected to www.abcdef.com/il/he ("il" stands for israel country and "he" stands for hebrew language)
but the user is apparently a british tourist with no knowledge on hebrew or arabian language. so he/she chose english language
he/she will be redirected to www.abcdef.com/il/en ("en" stands for english language)
the next time that client opens www.abcdef.com in israel again (assuming the cookies & sessions are still around), he/she will be redirected to www.abcdef.com/il/en
thx fr your help =D
Definitely I would leave the responsibility to handle the Locale to an interceptor.
Here is a tutorial to Create an Interceptor.
This interceptor can be placed in a common stack shared by all (or most of) incoming requests and it will assign the locale
ActionContext.getContext().setLocale(locale);
with the proper logic that could take into account:
query-string parameters
stored user preferences
cookies
session
browser preferences (are in the request)
I am accessing a set of websites using variables
<cfhttp url="http://website.com/index.php?title=#var1#:#var2#&action=edit##EditPage" method="GET">
Some pages do not provide the data I need and instead of #EditPage in the URL show a fragment
edit&redlink=1. I want to treat these pages differently. How do I go about identifying them?
The hash "#" used in URL is used by browsers and not servers. Typically when a browser sees the hash in the URL it will jump to either an anchor on the page with the same name, or an element with that id. Exceptions, are when javascript is used to modify the page dynamically based on the hash.
If I'm understanding you correctly, what you want to do is construct the URL in a separate variable first. Something like URLtoGet. Then, you can use cfif to switch on whether that constructed URL contains the fragment you specified. Look into contains(), find(), and findNoCase() to determine which is the best option for you.