In Struts2 backend, I have an action class instance variable, eg: keyName. A dynamic key returned to view(JSP).
This keyName variable is set using a request parameter using POST method. Depending on the request parameter value, the keyName will vary.
In JSP, I am using <s:property value="getText(keyName)" /> to show the label corresponding to the key given by keyName variable.
When I send an EL expression for example ${90-40} to keyName this expression is being evaluated and resulting in showing 50 on the UI.
How can we avoid or prevent such EL injection with getText()?
Is there any other alternative way instead of <s:property value="getText(keyName)" />?
You could create your own text provider and register it in struts.xml:
<constant name="struts.xworkTextProvider" value="com.struts.text.MyTextProvier"/>
Now create a class MyTextProvier that extends TextProviderSupport and override getText() methods. All methods take a parameter key as String and you can replace unwanted characters from it. Then call super.getText(). For example
public String getText(String key) {
return super.getText(key.replaceAll("[\\$\\{\\}]", ""));
}