Accessing a HashMap using Struts 2 - struts2

I have hashmap that was created on a page using the struts2 <s:set> tag. It looks something like this
<s:set var="mymap" value="#request.mymap"/>
At some point in the page, i need to get a value from the hashmap based upon a key, and i want to do it using OGNL.
The key is generated based upon some logic, which i store using another <s:set> tag. Something like this
<s:set var="mykey" value="1">
I need to get a value from the hashmap using this key. And I need to display it.
How do I simply call the get function on the hashmap?
I tried this
<s:property value="#mymap[#mykey]"/>
and this
<s:property value="#mymap[%{#mykey}]"/>
and this
<s:property value="%{#mymap[%{#mykey}}]"/>
The third one obviously does not work because of the nesting problem.
But the same nesting logic is applicable to the second case as well, due to the manner the value attribute is handled. However none seem to work for me.
The issue here is that my key is unknown. It is a dynamically generated string based upon some pattern. I need to access the object stored in the hashmap using this dynamic key. And due to the inability of nesting ognl, I am in a fix.
I suppose the issue is very simple. I almost feel that I get it, but somehow the solution eludes me.

I suppose I was using a different version of struts wherein using the %{} was required for the expression to be evaluated. I changed the jar files now.
This is what did the job for me:
<s:property value="#mymap.[#mykey2]"/>
My problem was coming because I was trying to use it in a href for a s:a tag. And without the %{} operator, the expression was not being evaluated.
So, i guess, i was right in the beginning itself. Rest of the time, it was just me being silly. :>
Update:
I wrote a blog post on the issue, in case anyone is interested.
http://mycodefixes.blogspot.com/2010/11/struts-2-creating-and-accessing-maps.html

Related

Where can I see the specification for thymeleaf th:method?

I've seen a lot of answers about how to send PUT/DELETE/PATCH HTTP requests with thymeleaf, and it's by using th:method = "the_specific_method", but i haven't found the thymeleaf specification about that. Can anyone help showing me where is it?
Thanks in advance.
I've tried to google for the answer, but no luck.
th:method isn't special to Thymeleaf -- it's just like any other plain old attribute which will output the result of an expression to the method attribute. It doesn't do (or care about) anything else. You can put any string and/or string expression into it, and Thymeleaf will happily output it.
th:method="${'the_specific_method'}"
will output
method="the_specific_method"
without regards to whether or not it's valid. If you want to learn about the method attribute, you just need to learn about how method works in plain old regular html and how browsers (and/or Spring) work with it.

Include boolean params with g:include are passed as Strings to the included view

I don't know if the following change is an issue or it is intended.
<g:include view="line.gsp" params="['label':'test', 'progress':false]"/>
Then the expression in line.gsp aways evaluates to true, because the type of the 'progress' param is String, not Boolean.
class is: ${params.progress.getClass()}
<g:if test="${params.progress}">
this should not be displayed
</g:if>
Note that the same is applicable for other types, not just Boolean.
I am using grails 3.3.8
This didn't happen in grails 2.5.2.
I didn't find anything about this online so that's why I am asking here. Thanks.
Edit:
As suggested by Daniel, I've tried with grails 3.3.2 also.
I just created an app with grails create-app and modified the existing index.gsp to include line.gsp, as shown in the code above.
Here is a screenshot:
I realize you have already found a workaround to this, but it was bothering me that your code was not working the same way mine was, so I decided to investigate a bit further in case anyone else runs into this issue.
As other people here have mentioned, params.anything will typically return a String value. This is because params are typically encoded as URI parameters (like ?progress=false) and not autoboxed into any other type. (This is perfectly reasonable; there would be no good way for Grails to know what type they should be.) However, it is possible (and occasionally reasonable) to render your view or template from a controller like render view: whatever, model: [your: model, params: params] where you specifically include params in the model. (Perhaps you have a lot of parameters that you do not need to individually recreate in the model.) In this case, the params map will exist as both URI parameters (?progress=false) and page-scoped model entry (params: [progress: Boolean.FALSE]). Page scope takes priority over URI parameters, and so your types will be preserved.
In my testing, I added your code to an existing page where I was already passing params into the model, and so type was preserved for a newly added parameter as well. (Note that once params are in page scope, they're there for included templates or views as well.) Consequently, I saw progress type of Boolean, while in a basic example it would be type String.
TL/DR: either assume params are strings, or explicitly include params in your page-scoped model when rendering.
Yes, this is true. When you are calling params.something, you are actually accessing GrailsParameterMap which is a Map. So your condition actually evaluates as Map->get() which will be Object->toString() and of course it is true cause it's not null and not empty. So the solution will be the following:
<g:if test="${params.getBoolean("progress")}">
this should not be displayed
</g:if>
You can test this as follows
<g:if test="${params.progress && params.progress == 'false'}">
this should not be displayed
</g:if>

Problems getting data from XML using Nokogiri and Rails

I'm trying to get information from a XML file with Nokogiri. I can retrieve file using
f = File.open("/my/path/file.xml")
cac=Nokogiri::XML(f)
And what a get is a fancy noko:file. My row tags are defined like
<z:row ...info..../>
like
<Nokogiri::XML::Element:0x217e7b8 name="z:row" attributes=[#<Nokogiri::XML::Attr:0x217e754 name="ID_Poblacio" value="3">
and I cannot retrieve the rows using either:
s=cac.at_xpath("/*/z:row") or
s=cac.at_xpath("//z:row") or
s=cac.at_xpath("//row") or
s=cac.at_xpath("z:row")...
Probably I'm really fool but I cannot figure out which can be the issue.
Does anyone face this problem?
Thanks in advance.
P:S I tried to paste my cac file directly from bash but something wierd happens with format so I remove it from question. If anyone can explain how to do it I will appreciate it.
Your XML element name contains a colon, but it is not in a namespace (otherwise the prefix and uri would show up in the dump of the node). Using element names with colons without using namespaces is valid, but can cause problems (like this case) so generally should be avoided. Your best solution, if possible, would be to either rename the elements in your xml to avoid the : character, or to properly use namespaces in your documents.
If you can’t do that, then you’ll need to be able to select such element names using XPath. A colon in the element name part of an XPath node test is always taken to indicate a namespace. This means you can’t directly specify a name with a colon that isn’t in a namespace. A way around this is to select all nodes and use an XPath function in a predicate to refine the selection to only those nodes you’re after. You can use a colon in an argument to name() and it won’t be interpreted as a namespace separator:
s=cac.at_xpath("//*[name()='z:row']")

Struts 2 - is there any way to escape HTML in input fields?

When I allow a user to enter text using s:textfield, he can enter something like <b>Name</b> or something like \Me/. I want that these should be escaped before I am saving them to the database. When we retrieve them, the escaping is done automatically, but I want it to happen also when we are saving it.
I was trying to return a json output from my action class, but due to a name \a/ stored in my database, wrong json was being formed. This would have been avoided if the name had been escaped before being saved into the database.
You can use StringEscapeUtils. You can call escapeJavascript(textfield) in your action and then store it into the database.
#Daud, The problem you explained is called Cross site scripting or XSS.
And I think you should use Filters to clean the request parameters. This is the most sophisticated way. You can call these filters for the actions which are posting some parameters via request.
Visit my blog to see how to avoid XSS threat using Filter approach.
I also faced this issue when our project was tested by well known firm specializing in security testing and they suggested this filter approach.
You can give it a try.

Do dashes in a querystring pose a security risk for Ruby on Rails?

I got an exception in a web app I'm developing recently from a url something like:
http://domain.com/script.js?bcsi-ac-16E7C1CCF9EF6357=1C76413C00000002kmNHGZK2deV0Qz25TXynq3fMaPTrBAAAAgAAAD5tGgCEAwAACAAAAPUiAgA=
First of all - what in the world is that? From searching it sounds like maybe it's a cookie / session variable of some kind...
Second of all, the exception was about dynamic assignment of a constant. I tried a simpler url:
http://domain.com/script.js?bcsi-ac
And that gave an exception about the variable or method 'bcsi' not being defined, as if it were trying to evaluate it... WHAT!? I sure as hell hope people can't cause my Rails app to evaluate random code just by passing it to the querystring...
To provide more detail: I'm not doing anything unusual with the querystring data in the route or the controller. I just take the params and pass them into a partial as locals (admittedly not the cleanest way to do it, but simple - and that certainly shouldn't cause it to evaluate a parameter name as code?)
OKAY! Answering my own question again. It turns out passing params in as locals to a partial DOES cause it to evaluate the parameter name as code - obviously it can't use the variable name "bcsi-ac" so it tries to evaluate it.
But the question as to whether that poses a security risk still remains... I don't seem to be able to call methods on things, or actually assign things... but maybe I just haven't tried hard enough. It would seem to me that rails should just throw an exception when passing in a locals hash that includes an invalid variable name.
as a general rule of thumb, any time you allow strings from your url to be evaluated as code you are setting up a huge security risk in your application. you might not be able to call methods on locals as your methods exist server side and the code you are evaluating is client side, but this certainly opens your site up to XSS vulnerabilities among others...

Resources