Struts Jquery 将 Struts 从 Struts 2.5.22 升级到 2.5.27 后出现网格负载问题

Question

Hi We have recently upgraded Struts2 from Struts 2.5.22 to 2.5.27. In our application we are are using Struts Jquery Grid. We are using struts2-jquery-grid-plugin-4.0.3.jar library.

One of our application need is to assign grid id a dynamic value which is bean property. My code snippet is below:

<sjg:grid id="%{#tabGrid.gridId}" caption="%{#tabGrid.gridCaption}" gridModel="%#tabGrid.gridData}" href="%{gridUrl}"-------->

Before upgrade above piece of code was working. But after the upgarde we are unable to assign grid id bean property.But we can assign grid caption bean property like shown in above code snippet.Only when we are assigning id a bean property my code is breaking.

I have tried to workaround by assigning grid class value of property bean than id. But this change will impact lot of code changes in my application. Please suggest what could be the reason for it and possible solution.

Answer 1

Since Struts 2.5.26 you no longer can use %{} to force OGNL evaluation in the Struts tags using public attributes which leads to double evaluation of OGNL expression. This fixture is documented in S2-061 .

Some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.