Modified: websites/production/struts/content/docs/processing-forms.html
==============================================================================
--- websites/production/struts/content/docs/processing-forms.html (original)
+++ websites/production/struts/content/docs/processing-forms.html Fri Mar 11 
11:02:24 2016
@@ -138,7 +138,7 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><div 
class="confluence-information-macro 
confluence-information-macro-information"><span class="aui-icon aui-icon-small 
aui-iconfont-info confluence-information-macro-icon"></span><div 
class="confluence-information-macro-body"><p>This tutorial assumes you've 
completed the <a shape="rect" class="unresolved" href="#">Coding Struts 2 
Actons</a> tutorial and have a working coding_actions project. The example code 
for this tutorial, form_processing, is available for checkout from the Struts 2 
GitHub subversion repository: <a shape="rect" class="external-link" 
href="https://github.com/apache/struts-examples"; 
rel="nofollow">https://github.com/apache/struts-examples</a>.</p></div></div><h3
 id="ProcessingForms-Introduction">Introduction</h3><p>In this tutorial we'll 
explore using Struts 2 to do more involved processing of a form submission. 
We'll cover how to use a Java model class to store the form input and how to 
create the Struts 2 form to match up
  with that model class.</p><p>The code provided in this tutorial may be added 
to the <a shape="rect" href="coding-struts-2-actions.html">Coding Struts 2 
Actions</a> example or you can download this complete example from Google Code 
- <a shape="rect" class="external-link" 
href="http://code.google.com/p/struts2-examples/downloads/list"; 
rel="nofollow">http://code.google.com/p/struts2-examples/downloads/list</a>.</p><div
 class="confluence-information-macro confluence-information-macro-tip"><span 
class="aui-icon aui-icon-small aui-iconfont-approve 
confluence-information-macro-icon"></span><div 
class="confluence-information-macro-body"><p>The <a shape="rect" 
class="external-link" href="http://struts.apache.org/mail.html";>Struts 2 user 
mailing list</a> is an excellent place to get help. If you are having a problem 
getting the tutorial example applications to work search the Struts 2 mailing 
list. If you don't find an answer to your problem, post a question on the 
mailing list.</p></div></d
 iv><h3 id="ProcessingForms-FormsandAJavaModelClass">Forms and A Java Model 
Class</h3><p>For this tutorial let's say we need to provide a form that a user 
may submit to register for a prize drawing. Our business rules state the user 
must provide his/her first name, last name, email address, and age.</p><p>To 
encapsulate this data, we'll use a simple Java class that follows the basic 
Java Bean specifications (public set/get methods for each instance field). If 
you're following along add this class to package 
org.apache.struts.register.model in the <a shape="rect" 
href="coding-struts-2-actions.html">Coding Struts 2 Actions</a> 
example.</p><div class="code panel pdl" style="border-width: 1px;"><div 
class="codeHeader panelHeader pdl" style="border-bottom-width: 
1px;"><b>Person.java</b></div><div class="codeContent panelContent pdl">
+            <div id="ConfluenceContent"><div 
class="confluence-information-macro 
confluence-information-macro-information"><span class="aui-icon aui-icon-small 
aui-iconfont-info confluence-information-macro-icon"></span><div 
class="confluence-information-macro-body"><p>This tutorial assumes you've 
completed the <a shape="rect" class="createlink" 
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&amp;title=Coding+Struts+2+Actons&amp;linkCreation=true&amp;fromPageId=14811889";>Coding
 Struts 2 Actons</a> tutorial and have a working coding_actions project. The 
example code for this tutorial, form_processing, is available for checkout from 
the Struts 2 GitHub subversion repository: <a shape="rect" 
class="external-link" href="https://github.com/apache/struts-examples"; 
rel="nofollow">https://github.com/apache/struts-examples</a>.</p></div></div><h3
 id="ProcessingForms-Introduction">Introduction</h3><p>In this tutorial we'll 
explore using Struts 2 to do more involv
 ed processing of a form submission. We'll cover how to use a Java model class 
to store the form input and how to create the Struts 2 form to match up with 
that model class.</p><p>The code provided in this tutorial may be added to the 
<a shape="rect" href="coding-struts-2-actions.html">Coding Struts 2 Actions</a> 
example or you can download this complete example from Google Code - <a 
shape="rect" class="external-link" 
href="http://code.google.com/p/struts2-examples/downloads/list"; 
rel="nofollow">http://code.google.com/p/struts2-examples/downloads/list</a>.</p><div
 class="confluence-information-macro confluence-information-macro-tip"><span 
class="aui-icon aui-icon-small aui-iconfont-approve 
confluence-information-macro-icon"></span><div 
class="confluence-information-macro-body"><p>The <a shape="rect" 
class="external-link" href="http://struts.apache.org/mail.html";>Struts 2 user 
mailing list</a> is an excellent place to get help. If you are having a problem 
getting the tutorial example 
 applications to work search the Struts 2 mailing list. If you don't find an 
answer to your problem, post a question on the mailing list.</p></div></div><h3 
id="ProcessingForms-FormsandAJavaModelClass">Forms and A Java Model 
Class</h3><p>For this tutorial let's say we need to provide a form that a user 
may submit to register for a prize drawing. Our business rules state the user 
must provide his/her first name, last name, email address, and age.</p><p>To 
encapsulate this data, we'll use a simple Java class that follows the basic 
Java Bean specifications (public set/get methods for each instance field). If 
you're following along add this class to package 
org.apache.struts.register.model in the <a shape="rect" 
href="coding-struts-2-actions.html">Coding Struts 2 Actions</a> 
example.</p><div class="code panel pdl" style="border-width: 1px;"><div 
class="codeHeader panelHeader pdl" style="border-bottom-width: 
1px;"><b>Person.java</b></div><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" 
style="font-size:12px;">public class Person
 {
     private String firstName;
Modified: websites/production/struts/content/docs/release-notes-202.html
==============================================================================
--- websites/production/struts/content/docs/release-notes-202.html (original)
+++ websites/production/struts/content/docs/release-notes-202.html Fri Mar 11 
11:02:24 2016
@@ -172,7 +172,7 @@ under the License.
 
 <h2 id="ReleaseNotes2.0.2-NewFeaturesandPlugins">New Features and Plugins</h2>
 
-<ul><li>Plugins are now documented in the <a shape="rect" class="unresolved" 
href="#">Apache Struts 2 Plugin Registry</a>.</li><li><a shape="rect" 
href="annotations.html">Annotations</a>: @Result annotation now supports 
parameters (WW-1575).</li><li><a shape="rect" href="ajax-tags.html">Ajax 
Tags</a>: The Autocompleter AJAX tag wraps Dojo's ComboBox and supports remote, 
static, and JSON content.</li><li><a shape="rect" 
href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=33274";>Spring
 Plugin</a>: Integrate Spring with your application using a plugin (WW-1499). 
Or, if you prefer, use the <a shape="rect" 
href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=33365";>Plexus
 Plugin</a> instead.</li><li><a shape="rect" 
href="file-upload-interceptor.html">File Uploading</a> Explore multiple file 
uploading through our new Showcase example (WW-1479).</li><li><a shape="rect" 
href="action.html">Action tag</a>: Eliminate unwanted exceptions with the new 
<code>f
 lush</code> attribute (WW-1472).</li><li><a shape="rect" 
href="checkboxlist.html">Checkboxlist</a> tag: Use Maps with CheckboxList 
(WW-1471).</li><li><a shape="rect" href="roles-interceptor.html">Roles 
Interceptor</a>: Integrate JAAS with a new interceptor  - now on the default 
stack (WW-1469).</li><li><a shape="rect" href="textfield.html">Localized 
Links</a>: Use the new <code>key</code> attribute to streamline link markup 
(WW-1458).</li><li><a shape="rect" href="constant-configuration.html">Constant 
Configuration</a>: Override factory default settings from any XML configurtion 
document, including <code>web.xml</code>! (WW-1421).</li><li><a shape="rect" 
href="strutsxml-examples.html">Action Class Ref</a>: Configure a custom default 
Action for any package to use instead of ActionSupport (WW-1420).</li><li><a 
shape="rect" href="struts-maven-archetypes.html">Struts Maven Archetypes</a> 
The standard archetype includes sample code from the <a shape="rect" 
href="bootstrap.html">Bootstrap
 </a> tutorial {WW-1412).</li><li><a shape="rect" 
href="result-types.html">Direct Results</a>: Create a custom Result Type 
directly from an Action class  (WW-1393).</li></ul>
+<ul><li>Plugins are now documented in the <a shape="rect" class="createlink" 
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=S2PLUGINS&amp;title=Angosso";>Apache
 Struts 2 Plugin Registry</a>.</li><li><a shape="rect" 
href="annotations.html">Annotations</a>: @Result annotation now supports 
parameters (WW-1575).</li><li><a shape="rect" href="ajax-tags.html">Ajax 
Tags</a>: The Autocompleter AJAX tag wraps Dojo's ComboBox and supports remote, 
static, and JSON content.</li><li><a shape="rect" 
href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=33274";>Spring
 Plugin</a>: Integrate Spring with your application using a plugin (WW-1499). 
Or, if you prefer, use the <a shape="rect" 
href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=33365";>Plexus
 Plugin</a> instead.</li><li><a shape="rect" 
href="file-upload-interceptor.html">File Uploading</a> Explore multiple file 
uploading through our new Showcase example (WW-1479).</li><li><a sha
 pe="rect" href="action.html">Action tag</a>: Eliminate unwanted exceptions 
with the new <code>flush</code> attribute (WW-1472).</li><li><a shape="rect" 
href="checkboxlist.html">Checkboxlist</a> tag: Use Maps with CheckboxList 
(WW-1471).</li><li><a shape="rect" href="roles-interceptor.html">Roles 
Interceptor</a>: Integrate JAAS with a new interceptor  - now on the default 
stack (WW-1469).</li><li><a shape="rect" href="textfield.html">Localized 
Links</a>: Use the new <code>key</code> attribute to streamline link markup 
(WW-1458).</li><li><a shape="rect" href="constant-configuration.html">Constant 
Configuration</a>: Override factory default settings from any XML configurtion 
document, including <code>web.xml</code>! (WW-1421).</li><li><a shape="rect" 
href="strutsxml-examples.html">Action Class Ref</a>: Configure a custom default 
Action for any package to use instead of ActionSupport (WW-1420).</li><li><a 
shape="rect" href="struts-maven-archetypes.html">Struts Maven Archetypes</a> 
The s
 tandard archetype includes sample code from the <a shape="rect" 
href="bootstrap.html">Bootstrap</a> tutorial {WW-1412).</li><li><a shape="rect" 
href="result-types.html">Direct Results</a>: Create a custom Result Type 
directly from an Action class  (WW-1393).</li></ul>
 
 
 <h2 id="ReleaseNotes2.0.2-ExperimentalFeaturesandPlugins">Experimental 
Features and Plugins </h2>

Modified: websites/production/struts/content/docs/release-plan-200.html
==============================================================================
--- websites/production/struts/content/docs/release-plan-200.html (original)
+++ websites/production/struts/content/docs/release-plan-200.html Fri Mar 11 
11:02:24 2016
@@ -224,7 +224,7 @@ under the License.
 
 <h2 id="ReleasePlan2.0.0-TestBuildDistributionChecklist(A)">Test Build 
Distribution Checklist (A)</h2>
 
-<p>See also <a shape="rect" class="unresolved" href="#">Creating and Signing 
Releases</a></p>
+<p>See also <a shape="rect" class="createlink" 
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&amp;title=Creating+and+Signing+Releases&amp;linkCreation=true&amp;fromPageId=19602";>Creating
 and Signing Releases</a></p>
 
 <div class="table-wrap"><table class="confluenceTable"><tbody><tr><th 
colspan="1" rowspan="1" class="confluenceTh"><p> # </p></th><th colspan="1" 
rowspan="1" class="confluenceTh"><p> Description </p></th><th colspan="1" 
rowspan="1" class="confluenceTh"><p> Completed </p></th></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p> A1. </p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p> Setup new JIRA version level or update 
release on Roadmap </p></td><th colspan="1" rowspan="1" 
class="confluenceTh"><p> <img class="emoticon emoticon-tick" 
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png";
 data-emoticon-name="tick" alt="(tick)"> Done </p></th></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p> A2. </p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p> Tag release in svn: ${STRUTS_2_0_0} </p></td><th 
colspan="1" rowspan="1" class="confluenceTh"><p> <img class="emoticon emo
 ticon-tick" 
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png";
 data-emoticon-name="tick" alt="(tick)"> Done (r447072) </p></th></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p> A3. </p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p> Update POM version level and run 
Distribution Target </p></td><th colspan="1" rowspan="1" 
class="confluenceTh"><p> <img class="emoticon emoticon-tick" 
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png";
 data-emoticon-name="tick" alt="(tick)"> Done </p></th></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p> A4. </p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p> Create Sums and Sign Distributions </p></td><th 
colspan="1" rowspan="1" class="confluenceTh"><p> <img class="emoticon 
emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb
 3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png" 
data-emoticon-name="tick" alt="(tick)"> Done </p></th></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p> A5. </p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p> Upload Distribution to 
<code>people.apache.org/builds/struts/2.0.0/</code> </p></td><th colspan="1" 
rowspan="1" class="confluenceTh"><p> <img class="emoticon emoticon-tick" 
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png";
 data-emoticon-name="tick" alt="(tick)"> Done </p></th></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p> A6. </p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p> Deploy JAR to Apache Java-Repository </p></td><th 
colspan="1" rowspan="1" class="confluenceTh"><p> <img class="emoticon 
emoticon-tick" 
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticon
 s/check.png" data-emoticon-name="tick" alt="(tick)"> Done 
</p></th></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p>&#160;</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p> <code>$ mvn deploy -P pre-assembly</code> </p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>&#160;</p></td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p> A7. </p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p> Post release-quality vote on dev@ lists 
</p></td><th colspan="1" rowspan="1" class="confluenceTh"><p> ${STATUS} 
</p></th></tr></tbody></table></div>
 

Modified: websites/production/struts/content/docs/rest-plugin.html
==============================================================================
--- websites/production/struts/content/docs/rest-plugin.html (original)
+++ websites/production/struts/content/docs/rest-plugin.html Fri Mar 11 
11:02:24 2016
@@ -139,11 +139,11 @@ under the License.
     <div class="pagecontent">
         <div class="wiki-content">
             <div id="ConfluenceContent"><div 
class="confluence-information-macro 
confluence-information-macro-information"><span class="aui-icon aui-icon-small 
aui-iconfont-info confluence-information-macro-icon"></span><div 
class="confluence-information-macro-body"><p>This plugin is only available with 
Struts 2.1.1 or later</p></div></div><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1456773665918 {padding: 0px;}
-div.rbtoc1456773665918 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1456773665918 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1453884501969 {padding: 0px;}
+div.rbtoc1453884501969 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1453884501969 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1456773665918">
+/*]]>*/</style></p><div class="toc-macro rbtoc1453884501969">
 <ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a 
shape="rect" href="#RESTPlugin-Overview">Overview</a>
 <ul class="toc-indentation"><li><span class="TOCOutline">1.1</span> <a 
shape="rect" href="#RESTPlugin-Features">Features</a></li><li><span 
class="TOCOutline">1.2</span> <a shape="rect" 
href="#RESTPlugin-MappingRESTURLstoStruts2Actions">Mapping REST URLs to Struts 
2 Actions</a>
 <ul class="toc-indentation"><li><span class="TOCOutline">1.2.1</span> <a 
shape="rect" href="#RESTPlugin-RESTfulURLMappingLogic">RESTful URL Mapping 
Logic</a></li></ul>

Modified: websites/production/struts/content/docs/result-configuration.html
==============================================================================
--- websites/production/struts/content/docs/result-configuration.html (original)
+++ websites/production/struts/content/docs/result-configuration.html Fri Mar 
11 11:02:24 2016
@@ -139,11 +139,11 @@ under the License.
     <div class="pagecontent">
         <div class="wiki-content">
             <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1456773353562 {padding: 0px;}
-div.rbtoc1456773353562 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1456773353562 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1457693886833 {padding: 0px;}
+div.rbtoc1457693886833 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1457693886833 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1456773353562">
+/*]]>*/</style></p><div class="toc-macro rbtoc1457693886833">
 <ul class="toc-indentation"><li><a shape="rect" 
href="#ResultConfiguration-ResultElements">Result Elements</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#ResultConfiguration-IntelligentDefaults">Intelligent 
Defaults</a></li><li><a shape="rect" 
href="#ResultConfiguration-Multiplenames">Multiple names</a></li></ul>
 </li><li><a shape="rect" href="#ResultConfiguration-GlobalResults">Global 
Results</a></li><li><a shape="rect" 
href="#ResultConfiguration-DynamicResults">Dynamic Results</a></li><li><a 
shape="rect" href="#ResultConfiguration-ReturningResultObjects">Returning 
Result Objects</a></li></ul>

Modified: websites/production/struts/content/docs/result-types.html
==============================================================================
--- websites/production/struts/content/docs/result-types.html (original)
+++ websites/production/struts/content/docs/result-types.html Fri Mar 11 
11:02:24 2016
@@ -138,7 +138,7 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><p>Most use cases can be divided into 
two phases. First, we need to change or query the application's state, and then 
we need to present an updated view of the application. The Action class manages 
the application's state, and the Result Type manages the view.</p><h2 
id="ResultTypes-PredefinedResultTypes">Predefined Result Types</h2><p>The 
framework provides several implementations of the 
<code>com.opensymphony.xwork2.Result</code> interface, ready to use in your own 
applications.</p><div class="table-wrap"><table 
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="chain-result.html">Chain 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for 
<a shape="rect" href="action-chaining.html">Action 
Chaining</a></p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" 
href="dispatcher-result.html">Dispatcher Result</a></p></td><td colspan="1
 " rowspan="1" class="confluenceTd"><p>Used for web resource integration, 
including <a shape="rect" href="jsp.html">JSP</a> 
integration</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" 
href="freemarker-result.html">FreeMarker Result</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" 
href="freemarker.html">FreeMarker</a> integration</p></td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" 
href="httpheader-result.html">HttpHeader Result</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Used to control special HTTP 
behaviors</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="redirect-result.html">Redirect 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to 
redirect to another URL (web resource)</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p><a shape="rect" 
href="redirect-action-result.
 html">Redirect Action Result</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Used to redirect to another action 
mapping</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a 
shape="rect" href="stream-result.html">Stream Result</a></p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>Used to stream an InputStream 
back to the browser (usually for file downloads)</p></td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" 
href="velocity-result.html">Velocity Result</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" 
href="velocity.html">Velocity</a> integration</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p><a shape="rect" href="xsl-result.html">XSL 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for 
XML/XSLT integration</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="plaintext-result.html">Pl
 ainText Result</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Used to display the raw content of a particular page 
(i.e jsp, HTML)</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="tiles-plugin.html">Tiles 2 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to 
provide Tiles 2 integration</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="tiles-3-plugin.html">Tiles 3 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to 
provide Tiles 3 integration</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="postback-result.html">Postback 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to 
postback request parameters as a form to the specified 
destination</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><a shape="rect" href="json-plugin.html">JSON 
Result</a></td><td
  colspan="1" rowspan="1" class="confluenceTd">Used to serialize actions into 
JSON</td></tr></tbody></table></div><h3 
id="ResultTypes-Optional">Optional</h3><div class="table-wrap"><table 
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" 
href="jasperreports-plugin.html">JasperReports Plugin</a></p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" 
href="jasperreports-tutorial.html">JasperReports Tutorial</a> 
integration</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Optional, third-party 
plugin</p></td></tr></tbody></table></div><p>Additional Result Types can be 
created and plugged into an application by implementing the 
<code>com.opensymphony.xwork2.Result</code> interface. Custom Result Types 
might include generating an email or JMS message, generating images, and so 
forth.</p><h2 id="ResultTypes-DefaultParameters">Default Parameters</h2><p>To 
minimize configuration, Results can be conf
 igured with a single value, which will be converted into a parameter, and each 
Result can specify which parameter this value should be set as. For example, 
here is a result defined in XML that uses a default parameter:</p><div 
class="code panel pdl" style="border-width: 1px;"><div class="codeContent 
panelContent pdl">
+            <div id="ConfluenceContent"><p>Most use cases can be divided into 
two phases. First, we need to change or query the application's state, and then 
we need to present an updated view of the application. The Action class manages 
the application's state, and the Result Type manages the view.</p><h2 
id="ResultTypes-PredefinedResultTypes">Predefined Result Types</h2><p>The 
framework provides several implementations of the 
<code>com.opensymphony.xwork2.Result</code> interface, ready to use in your own 
applications.</p><div class="table-wrap"><table 
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="chain-result.html">Chain 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for 
<a shape="rect" href="action-chaining.html">Action 
Chaining</a></p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" 
href="dispatcher-result.html">Dispatcher Result</a></p></td><td colspan="1
 " rowspan="1" class="confluenceTd"><p>Used for web resource integration, 
including <a shape="rect" href="jsp.html">JSP</a> 
integration</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" 
href="freemarker-result.html">FreeMarker Result</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" 
href="freemarker.html">FreeMarker</a> integration</p></td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" 
href="httpheader-result.html">HttpHeader Result</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Used to control special HTTP 
behaviors</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="redirect-result.html">Redirect 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to 
redirect to another URL (web resource)</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p><a shape="rect" 
href="redirect-action-result.
 html">Redirect Action Result</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Used to redirect to another action 
mapping</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><a 
shape="rect" href="stream-result.html">Stream Result</a></p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>Used to stream an InputStream 
back to the browser (usually for file downloads)</p></td></tr><tr><td 
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" 
href="velocity-result.html">Velocity Result</a></p></td><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" 
href="velocity.html">Velocity</a> integration</p></td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd"><p><a shape="rect" href="xsl-result.html">XSL 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used for 
XML/XSLT integration</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="plaintext-result.html">Pl
 ainText Result</a></p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Used to display the raw content of a particular page 
(i.e jsp, HTML)</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="tiles-2-plugin.html">Tiles 2 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to 
provide Tiles 2 integration</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="tiles-3-plugin.html">Tiles 3 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to 
provide Tiles 3 integration</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" href="postback-result.html">Postback 
Result</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Used to 
postback request parameters as a form to the specified 
destination</p></td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><a shape="rect" href="json-plugin.html">JSON 
Result</a></td><
 td colspan="1" rowspan="1" class="confluenceTd">Used to serialize actions into 
JSON</td></tr></tbody></table></div><h3 
id="ResultTypes-Optional">Optional</h3><div class="table-wrap"><table 
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" 
class="confluenceTd"><p><a shape="rect" 
href="jasperreports-plugin.html">JasperReports Plugin</a></p></td><td 
colspan="1" rowspan="1" class="confluenceTd"><p>Used for <a shape="rect" 
href="jasperreports-tutorial.html">JasperReports Tutorial</a> 
integration</p></td><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Optional, third-party 
plugin</p></td></tr></tbody></table></div><p>Additional Result Types can be 
created and plugged into an application by implementing the 
<code>com.opensymphony.xwork2.Result</code> interface. Custom Result Types 
might include generating an email or JMS message, generating images, and so 
forth.</p><h2 id="ResultTypes-DefaultParameters">Default Parameters</h2><p>To 
minimize configuration, Results can be co
 nfigured with a single value, which will be converted into a parameter, and 
each Result can specify which parameter this value should be set as. For 
example, here is a result defined in XML that uses a default parameter:</p><div 
class="code panel pdl" style="border-width: 1px;"><div class="codeContent 
panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" 
style="font-size:12px;">&lt;result type="freemarker"&gt;foo.fm&lt;/result&gt;
 </pre>
 </div></div><p>That is the equivalent to this:</p><div class="code panel pdl" 
style="border-width: 1px;"><div class="codeContent panelContent pdl">

Modified: websites/production/struts/content/docs/s2-003.html
==============================================================================
--- websites/production/struts/content/docs/s2-003.html (original)
+++ websites/production/struts/content/docs/s2-003.html Fri Mar 11 11:02:24 2016
@@ -139,11 +139,11 @@ under the License.
 
 <p>So, for instance, to set #session.user to '0wn3d' the following parameter 
name can be used:</p>
 
-<p>('\u0023' + 'session<a shape="rect" class="unresolved" 
href="#">\'user\'</a>')(unused)=0wn3d</p>
+<p>('\u0023' + 'session<a shape="rect" class="createlink" 
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&amp;title=%5C%27user%5C%27&amp;linkCreation=true&amp;fromPageId=88882";>\'user\'</a>')(unused)=0wn3d</p>
 
 <p>which will look as follows once URL encoded:</p>
 
-<p>('\u0023'%20%2b%20'session<a shape="rect" class="unresolved" 
href="#">\'user\'</a>')(unused)=0wn3d </p>
+<p>('\u0023'%20%2b%20'session<a shape="rect" class="createlink" 
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&amp;title=%5C%27user%5C%27&amp;linkCreation=true&amp;fromPageId=88882";>\'user\'</a>')(unused)=0wn3d
 </p>
 
 <h2 id="S2-003-Solution">Solution</h2>
 

Added: websites/production/struts/content/docs/s2-028.html
==============================================================================
--- websites/production/struts/content/docs/s2-028.html (added)
+++ websites/production/struts/content/docs/s2-028.html Fri Mar 11 11:02:24 2016
@@ -0,0 +1,165 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
"http://www.w3.org/TR/html4/loose.dtd";>
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <link type="text/css" rel="stylesheet" 
href="https://struts.apache.org/css/default.css";>
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      
url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>S2-028</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a 
href="security-bulletins.html">Security Bulletins</a>&nbsp;&gt;&nbsp;<a 
href="s2-028.html">S2-028</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="https://www.google.com/search"; 
method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the 
logo resource -->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; 
margin: 4px 4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 
2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">S2-028</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; 
margin: 0px;">
+            <a 
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62686284";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Edit Page"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62686284";>Edit
 Page</a>
+            &nbsp;
+            <a 
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Browse Space"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse 
Space</a>
+            &nbsp;
+            <a 
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62686284";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Add Page"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62686284";>Add
 Page</a>
+            &nbsp;
+            <a 
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62686284";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Add News"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62686284";>Add
 News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><h2 
id="S2-028-Summary">Summary</h2>Use of a JRE with broken URLDecoder 
implementation may lead to XSS vulnerability in Struts 2 based web 
applications.<div class="table-wrap"><table 
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Who should read this</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and 
users</p></td></tr><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Affects of a cross-site scripting 
vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" 
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Upgrade runtime JRE to a recent major 
version, preferably 1.8. 
 Alternatively upgrade to <a shape="rect" class="external-link" 
href="http://struts.apache.org/download.cgi#struts2325";>Struts 
2.3.25</a></p></td></tr><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: 
rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" 
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>WhiteHat Security (<a shape="rect" 
class="external-link" href="http://whitehatsec.com"; 
rel="nofollow">whitehatsec.com</a>)</p></td></tr><tr><th colspan="1" 
rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p><span style="color: 
rgb(34,34,34);">-</span></p></td></tr></tbody></table></div><h2 
id="S2-028-Problem">Problem</h2><p>When using a single byte page encoding such 
as ISO-8895-1, an attacker might submit a non-spec URL-encoded p
 arameter value including multi-byte characters.</p><p>Struts 2 used the 
standard JRE URLDecoder to decode parameter values.&#160;<span>Especially JRE 
1.5's URLDecoder implementation seems to be broken to the point that this 
non-spec encoding isn't rejected / filtered. In later JREs the issue was fixed, 
best known solution is found in JRE 1.8.</span></p><h2 
id="S2-028-Solution">Solution</h2><p>Upgrade runtime JRE/JDK, preferably to the 
most recent 1.8 version.</p><p>Alternatively&#160;<span style="line-height: 
1.42857;">upgrade to Struts 2.3.25, which includes and uses a safe URLDecoder 
implementation from Apache Tomcat</span></p><h2 
id="S2-028-Backwardcompatibility">Backward compatibility</h2><p>No issues 
expected when upgrading to Struts 2.3.25</p><h2 
id="S2-028-Workaround">Workaround</h2><p>Use UTF-8 for page and parameter 
encoding.</p><h2 id="S2-028-FurtherReference">Further Reference</h2><p><style>
+    .jira-issue {
+        padding: 0 0 0 2px;
+        line-height: 20px;
+    }
+
+    .jira-issue img {
+        padding-right: 5px;
+    }
+    .jira-issue .aui-lozenge {
+        line-height: 18px;
+        vertical-align: top;
+    }
+
+    .jira-issue .icon {
+        background-position: left center;
+        background-repeat: no-repeat;
+        display: inline-block;
+        font-size: 0;
+        max-height: 16px;
+        text-align: left;
+        text-indent: -9999em;
+        vertical-align: text-bottom;
+    }
+</style>
+
+    <span class="jira-issue WW-4507"><a shape="rect" class="issue-link" 
href="https://issues.apache.org/jira/browse/WW-4507?src=confmacro";>WW-4507</a></span>
+</p></div>
+        </div>
+
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>

Added: websites/production/struts/content/docs/s2-029.html
==============================================================================
--- websites/production/struts/content/docs/s2-029.html (added)
+++ websites/production/struts/content/docs/s2-029.html Fri Mar 11 11:02:24 2016
@@ -0,0 +1,138 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
"http://www.w3.org/TR/html4/loose.dtd";>
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <link type="text/css" rel="stylesheet" 
href="https://struts.apache.org/css/default.css";>
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      
url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>S2-029</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a 
href="security-bulletins.html">Security Bulletins</a>&nbsp;&gt;&nbsp;<a 
href="s2-029.html">S2-029</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="https://www.google.com/search"; 
method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the 
logo resource -->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; 
margin: 4px 4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 
2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">S2-029</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; 
margin: 0px;">
+            <a 
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687048";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Edit Page"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687048";>Edit
 Page</a>
+            &nbsp;
+            <a 
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Browse Space"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse 
Space</a>
+            &nbsp;
+            <a 
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687048";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Add Page"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687048";>Add
 Page</a>
+            &nbsp;
+            <a 
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687048";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Add News"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687048";>Add
 News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><h2 
id="S2-029-Summary">Summary</h2>Double OGNL evaluation when using raw user 
input in tag's attributes.<div class="table-wrap"><table 
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Who should read this</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and 
users</p></td></tr><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution 
vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" 
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Always validate incoming parameters' values 
when re-assigning them to certain Struts' tags attributes. Alternative
 ly upgrade to <a shape="rect" class="external-link" 
href="http://struts.apache.org/download.cgi#struts2325";>Struts 
2.3.25</a></p></td></tr><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: 
rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" 
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity dot com 
- <a shape="rect" class="external-link" href="http://www.coverity.com/"; 
rel="nofollow">Coverity</a></p></td></tr><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" 
class="confluenceTd"><p><span style="color: 
rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2 
id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks performs double 
evaluation of attributes' values assigned
  to certain tags so it is possible to pass in a value that will be evaluated 
again when a tag's attributes will be rendered.</p><h2 
id="S2-029-Solution">Solution</h2><p>Adding a proper validation of each value 
that's coming in and it's used in tag's 
attributes.&#160;Alternatively&#160;<span style="line-height: 1.42857;">upgrade 
to Struts 2.3.25.</span></p><h2 id="S2-029-Backwardcompatibility">Backward 
compatibility</h2><p>No issues expected when upgrading to Struts 2.3.25</p><h2 
id="S2-029-Workaround">Workaround</h2><p>Not possible</p></div>
+        </div>
+
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>

Added: websites/production/struts/content/docs/s2-030.html
==============================================================================
--- websites/production/struts/content/docs/s2-030.html (added)
+++ websites/production/struts/content/docs/s2-030.html Fri Mar 11 11:02:24 2016
@@ -0,0 +1,138 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
"http://www.w3.org/TR/html4/loose.dtd";>
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License. 
+-->
+<html>
+<head>
+    <link type="text/css" rel="stylesheet" 
href="https://struts.apache.org/css/default.css";>
+    <style type="text/css">
+        .dp-highlighter {
+            width:95% !important;
+        }
+    </style>
+    <style type="text/css">
+        .footer {
+            background-image:      
url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+            background-repeat:     repeat-x;
+            background-position:   left top;
+            padding-top:           4px;
+            color:                 #666;
+        }
+    </style>
+    <script type="text/javascript" language="javascript">
+        var hide = null;
+        var show = null;
+        var children = null;
+
+        function init() {
+            /* Search form initialization */
+            var form = document.forms['search'];
+            if (form != null) {
+                form.elements['domains'].value = location.hostname;
+                form.elements['sitesearch'].value = location.hostname;
+            }
+
+            /* Children initialization */
+            hide = document.getElementById('hide');
+            show = document.getElementById('show');
+            children = document.all != null ?
+                    document.all['children'] :
+                    document.getElementById('children');
+            if (children != null) {
+                children.style.display = 'none';
+                show.style.display = 'inline';
+                hide.style.display = 'none';
+            }
+        }
+
+        function showChildren() {
+            children.style.display = 'block';
+            show.style.display = 'none';
+            hide.style.display = 'inline';
+        }
+
+        function hideChildren() {
+            children.style.display = 'none';
+            show.style.display = 'inline';
+            hide.style.display = 'none';
+        }
+    </script>
+    <title>S2-030</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+    <tr class="topBar">
+        <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+            &nbsp;<a href="home.html">Home</a>&nbsp;&gt;&nbsp;<a 
href="security-bulletins.html">Security Bulletins</a>&nbsp;&gt;&nbsp;<a 
href="s2-030.html">S2-030</a>
+        </td>
+        <td align="right" valign="middle" nowrap>
+            <form name="search" action="https://www.google.com/search"; 
method="get">
+                <input type="hidden" name="ie" value="UTF-8" />
+                <input type="hidden" name="oe" value="UTF-8" />
+                <input type="hidden" name="domains" value="" />
+                <input type="hidden" name="sitesearch" value="" />
+                <input type="text" name="q" maxlength="255" value="" />
+                <input type="submit" name="btnG" value="Google Search" />
+            </form>
+        </td>
+    </tr>
+</table>
+
+<div id="PageContent">
+    <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+        <!-- We'll enable this once we figure out how to access (and save) the 
logo resource -->
+        <!--img src="/wiki/images/confluence_logo.gif" style="float: left; 
margin: 4px 4px 4px 10px;" border="0"-->
+        <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 
2 Documentation</div>
+        <div style="margin: 0px 10px 8px 10px"  class="pagetitle">S2-030</div>
+
+        <div class="greynavbar" align="right" style="padding: 2px 10px; 
margin: 0px;">
+            <a 
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687301";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Edit Page"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687301";>Edit
 Page</a>
+            &nbsp;
+            <a 
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Browse Space"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse 
Space</a>
+            &nbsp;
+            <a 
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687301";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Add Page"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687301";>Add
 Page</a>
+            &nbsp;
+            <a 
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687301";>
+                <img 
src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif";
+                     height="16" width="16" border="0" align="absmiddle" 
title="Add News"></a>
+            <a 
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687301";>Add
 News</a>
+        </div>
+    </div>
+
+    <div class="pagecontent">
+        <div class="wiki-content">
+            <div id="ConfluenceContent"><h2 
id="S2-030-Summary">Summary</h2>Possible XSS vulnerability in 
<code>I18NInterceptor</code><div class="table-wrap"><table 
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Who should read this</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and 
users</p></td></tr><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Possible XSS 
vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" 
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Do not expose parts of <code>Locale</code> 
object constructed by <code>I18NInterceptor</code> as it may contain user 
specific string which may leads 
 to XSS vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1" 
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" 
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: 
rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" 
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" 
rowspan="1" class="confluenceTd"><p>Paolo Perliti paolo dot perliti at miliaris 
dot it - <a shape="rect" class="external-link" href="http://www.miliaris.it/"; 
rel="nofollow">M<span>iliaris</span></a><span>&#160;</span></p></td></tr><tr><th
 colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td 
colspan="1" rowspan="1" 
class="confluenceTd"><p>CVE-2016-2162</p></td></tr></tbody></table></div><h2 
id="S2-030-Problem">Problem</h2><p>The Apache Struts framework uses 
<code>I18NInterceptor</code> to allow users and developers switch language used 
in the framework and an application built on top of it. The problem is that the 
in
 terceptor doesn't perform any validation of the user input and accept 
arbitrary string which can be used by a developer to display language selected 
by the user. However, the framework doesn't expose the value directly in 
UI.</p><h2 id="S2-030-Solution">Solution</h2><p>If you want present language 
selected by user based on <code>I18NInterceptor</code> always escape the string 
before presenting it to the user.&#160;Alternatively&#160;<span 
style="line-height: 1.42857;">upgrade to Struts 2.3.25.</span></p><h2 
id="S2-030-Backwardcompatibility">Backward compatibility</h2><p>No issues 
expected when upgrading to Struts 2.3.25</p><h2 
id="S2-030-Workaround">Workaround</h2><p>When needed you can use <a 
shape="rect" class="external-link" 
href="https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html";>StringEscapeUtils</a>
 from the Apache Commons to escape the string.</p></div>
+        </div>
+
+        
+    </div>
+</div>
+<div class="footer">
+    Generated by CXF SiteExporter
+</div>
+</body>
+</html>

Modified: websites/production/struts/content/docs/sample-announcements.html
==============================================================================
--- websites/production/struts/content/docs/sample-announcements.html (original)
+++ websites/production/struts/content/docs/sample-announcements.html Fri Mar 
11 11:02:24 2016
@@ -127,11 +127,11 @@ under the License.
         <div class="wiki-content">
             <div id="ConfluenceContent"><h1 
id="Sampleannouncements-Content">Content</h1>
 <style type="text/css">/*<![CDATA[*/
-div.rbtoc1456773755099 {padding: 0px;}
-div.rbtoc1456773755099 ul {list-style: none;margin-left: 0px;}
-div.rbtoc1456773755099 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1453884616256 {padding: 0px;}
+div.rbtoc1453884616256 ul {list-style: none;margin-left: 0px;}
+div.rbtoc1453884616256 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style><div class="toc-macro rbtoc1456773755099">
+/*]]>*/</style><div class="toc-macro rbtoc1453884616256">
 <ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a 
shape="rect" href="#Sampleannouncements-Content">Content</a>
 <ul class="toc-indentation"><li><span class="TOCOutline">1.1</span> <a 
shape="rect" 
href="#Sampleannouncements-SampleStrutsAnnotationsRelease/QualityVote">Sample 
Struts Annotations Release/Quality Vote</a></li><li><span 
class="TOCOutline">1.2</span> <a shape="rect" 
href="#Sampleannouncements-SampleTestBuildAnnouncement">Sample Test Build 
Announcement</a></li><li><span class="TOCOutline">1.3</span> <a shape="rect" 
href="#Sampleannouncements-SampleRelease/QualityVote">Sample Release/Quality 
Vote</a></li><li><span class="TOCOutline">1.4</span> <a shape="rect" 
href="#Sampleannouncements-SampleReleaseAnnouncement">Sample Release 
Announcement</a></li><li><span class="TOCOutline">1.5</span> <a shape="rect" 
href="#Sampleannouncements-Fast-TrackinganImportantSecurityRelease">Fast-Tracking
 an Important Security Release</a></li></ul>
 </li></ul>

Modified: websites/production/struts/content/docs/security-bulletins.html
==============================================================================
--- websites/production/struts/content/docs/security-bulletins.html (original)
+++ websites/production/struts/content/docs/security-bulletins.html Fri Mar 11 
11:02:24 2016
@@ -126,7 +126,7 @@ under the License.
     <div class="pagecontent">
         <div class="wiki-content">
             <div id="ConfluenceContent"><p>The following security bulletins 
are available:</p>
-<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> 
&#8212; <span class="smalltext">Remote code exploit on form validation 
error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> &#8212; 
<span class="smalltext">Cross site scripting (XSS) vulnerability on 
&lt;s:url&gt; and &lt;s:a&gt; tags</span></li><li><a shape="rect" 
href="s2-003.html">S2-003</a> &#8212; <span class="smalltext">XWork 
ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a 
shape="rect" href="s2-004.html">S2-004</a> &#8212; <span 
class="smalltext">Directory traversal vulnerability while serving static 
content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> &#8212; 
<span class="smalltext">XWork ParameterInterceptors bypass allows remote 
command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> 
&#8212; <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork 
generated error pages</span></li><li><a shape="rect" hr
 ef="s2-007.html">S2-007</a> &#8212; <span class="smalltext">User input is 
evaluated as an OGNL expression when there's a conversion 
error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> &#8212; 
<span class="smalltext">Multiple critical vulnerabilities in 
Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> &#8212; 
<span class="smalltext">ParameterInterceptor vulnerability allows remote 
command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> 
&#8212; <span class="smalltext">When using Struts 2 token mechanism for CSRF 
protection, token check may be bypassed by misusing known session 
attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> &#8212; 
<span class="smalltext">Long request parameter names might significantly 
promote the effectiveness of DOS attacks</span></li><li><a shape="rect" 
href="s2-012.html">S2-012</a> &#8212; <span class="smalltext">Showcase app 
vulnerability allows remote command execution</span></li>
 <li><a shape="rect" href="s2-013.html">S2-013</a> &#8212; <span 
class="smalltext">A vulnerability, present in the includeParams attribute of 
the URL and Anchor Tag, allows remote command execution</span></li><li><a 
shape="rect" href="s2-014.html">S2-014</a> &#8212; <span class="smalltext">A 
vulnerability introduced by forcing parameter inclusion in the URL and Anchor 
Tag allows remote command execution, session access and manipulation and XSS 
attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> &#8212; 
<span class="smalltext">A vulnerability introduced by wildcard matching 
mechanism or double evaluation of OGNL Expression allows remote command 
execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> &#8212; 
<span class="smalltext">A vulnerability introduced by manipulating parameters 
prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command 
execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> &#8212; 
<span class="sma
 lltext">A vulnerability introduced by manipulating parameters prefixed with 
"redirect:"/"redirectAction:" allows for open redirects</span></li><li><a 
shape="rect" href="s2-018.html">S2-018</a> &#8212; <span 
class="smalltext">Broken Access Control Vulnerability in Apache 
Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> &#8212; 
<span class="smalltext">Dynamic Method Invocation disabled by 
default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> &#8212; 
<span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS 
attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid 
ClassLoader manipulation)</span></li><li><a shape="rect" 
href="s2-021.html">S2-021</a> &#8212; <span class="smalltext">Improves excluded 
params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader 
manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> 
&#8212; <span class="smalltext">Extends excluded params in CookieInt
 erceptor to avoid manipulation of Struts' internals</span></li><li><a 
shape="rect" href="s2-023.html">S2-023</a> &#8212; <span 
class="smalltext">Generated value of token can be predictable</span></li><li><a 
shape="rect" href="s2-024.html">S2-024</a> &#8212; <span 
class="smalltext">Wrong excludeParams overrides those defined in 
DefaultExcludedPatternsChecker</span></li><li><a shape="rect" 
href="s2-025.html">S2-025</a> &#8212; <span class="smalltext">Cross-Site 
Scripting Vulnerability in Debug Mode and in exposed JSP 
files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> &#8212; 
<span class="smalltext">Special top object can be used to access Struts' 
internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> &#8212; 
<span class="smalltext">TextParseUtil.translateVariables does not filter 
malicious OGNL expressions</span></li></ul></div>
+<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> 
&#8212; <span class="smalltext">Remote code exploit on form validation 
error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> &#8212; 
<span class="smalltext">Cross site scripting (XSS) vulnerability on 
&lt;s:url&gt; and &lt;s:a&gt; tags</span></li><li><a shape="rect" 
href="s2-003.html">S2-003</a> &#8212; <span class="smalltext">XWork 
ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a 
shape="rect" href="s2-004.html">S2-004</a> &#8212; <span 
class="smalltext">Directory traversal vulnerability while serving static 
content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> &#8212; 
<span class="smalltext">XWork ParameterInterceptors bypass allows remote 
command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> 
&#8212; <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork 
generated error pages</span></li><li><a shape="rect" hr
 ef="s2-007.html">S2-007</a> &#8212; <span class="smalltext">User input is 
evaluated as an OGNL expression when there's a conversion 
error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> &#8212; 
<span class="smalltext">Multiple critical vulnerabilities in 
Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> &#8212; 
<span class="smalltext">ParameterInterceptor vulnerability allows remote 
command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> 
&#8212; <span class="smalltext">When using Struts 2 token mechanism for CSRF 
protection, token check may be bypassed by misusing known session 
attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> &#8212; 
<span class="smalltext">Long request parameter names might significantly 
promote the effectiveness of DOS attacks</span></li><li><a shape="rect" 
href="s2-012.html">S2-012</a> &#8212; <span class="smalltext">Showcase app 
vulnerability allows remote command execution</span></li>
 <li><a shape="rect" href="s2-013.html">S2-013</a> &#8212; <span 
class="smalltext">A vulnerability, present in the includeParams attribute of 
the URL and Anchor Tag, allows remote command execution</span></li><li><a 
shape="rect" href="s2-014.html">S2-014</a> &#8212; <span class="smalltext">A 
vulnerability introduced by forcing parameter inclusion in the URL and Anchor 
Tag allows remote command execution, session access and manipulation and XSS 
attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> &#8212; 
<span class="smalltext">A vulnerability introduced by wildcard matching 
mechanism or double evaluation of OGNL Expression allows remote command 
execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> &#8212; 
<span class="smalltext">A vulnerability introduced by manipulating parameters 
prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command 
execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> &#8212; 
<span class="sma
 lltext">A vulnerability introduced by manipulating parameters prefixed with 
"redirect:"/"redirectAction:" allows for open redirects</span></li><li><a 
shape="rect" href="s2-018.html">S2-018</a> &#8212; <span 
class="smalltext">Broken Access Control Vulnerability in Apache 
Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> &#8212; 
<span class="smalltext">Dynamic Method Invocation disabled by 
default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> &#8212; 
<span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS 
attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid 
ClassLoader manipulation)</span></li><li><a shape="rect" 
href="s2-021.html">S2-021</a> &#8212; <span class="smalltext">Improves excluded 
params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader 
manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> 
&#8212; <span class="smalltext">Extends excluded params in CookieInt
 erceptor to avoid manipulation of Struts' internals</span></li><li><a 
shape="rect" href="s2-023.html">S2-023</a> &#8212; <span 
class="smalltext">Generated value of token can be predictable</span></li><li><a 
shape="rect" href="s2-024.html">S2-024</a> &#8212; <span 
class="smalltext">Wrong excludeParams overrides those defined in 
DefaultExcludedPatternsChecker</span></li><li><a shape="rect" 
href="s2-025.html">S2-025</a> &#8212; <span class="smalltext">Cross-Site 
Scripting Vulnerability in Debug Mode and in exposed JSP 
files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> &#8212; 
<span class="smalltext">Special top object can be used to access Struts' 
internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> &#8212; 
<span class="smalltext">TextParseUtil.translateVariables does not filter 
malicious OGNL expressions</span></li><li><a shape="rect" 
href="s2-028.html">S2-028</a> &#8212; <span class="smalltext">Use of a JRE with 
broken URLDecoder implementation may l
 ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a 
shape="rect" href="s2-029.html">S2-029</a> &#8212; <span 
class="smalltext">Double OGNL evaluation when using raw user input in tag's 
attributes.</span></li><li><a shape="rect" href="s2-030.html">S2-030</a> 
&#8212; <span class="smalltext">Possible XSS vulnerability in 
I18NInterceptor</span></li></ul></div>
         </div>
 
                     <div class="tabletitle">
@@ -141,6 +141,15 @@ under the License.
                     <span class="smalltext">(Apache Struts 2 
Documentation)</span>
                     <br>
                                     $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 
Documentation)</span>
+                    <br>
+                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 
Documentation)</span>
+                    <br>
+                                    $page.link($child)
+                    <span class="smalltext">(Apache Struts 2 
Documentation)</span>
+                    <br>
+                                    $page.link($child)
                     <span class="smalltext">(Apache Struts 2 
Documentation)</span>
                     <br>
                                     $page.link($child)

Modified: websites/production/struts/content/docs/security.html
==============================================================================
--- websites/production/struts/content/docs/security.html (original)
+++ websites/production/struts/content/docs/security.html Fri Mar 11 11:02:24 
2016
@@ -139,11 +139,11 @@ under the License.
     <div class="pagecontent">
         <div class="wiki-content">
             <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1456773801895 {padding: 0px;}
-div.rbtoc1456773801895 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1456773801895 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1457693901922 {padding: 0px;}
+div.rbtoc1457693901922 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1457693901922 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1456773801895">
+/*]]>*/</style></p><div class="toc-macro rbtoc1457693901922">
 <ul class="toc-indentation"><li><a shape="rect" 
href="#Security-Securitytips">Security tips</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config 
Browser</a></li><li><a shape="rect" 
href="#Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix 
different access levels in the same namespace</a></li><li><a shape="rect" 
href="#Security-NeverexposeJSPfilesdirectly">Never expose JSP files 
directly</a></li><li><a shape="rect" href="#Security-DisabledevMode">Disable 
devMode</a></li><li><a shape="rect" href="#Security-UseUTF-8encoding">Use UTF-8 
encoding</a></li></ul>
 </li><li><a shape="rect" href="#Security-Internalsecuritymechanism">Internal 
security mechanism</a>
@@ -212,7 +212,7 @@ public abstract class AbstractAction ext
         // some logic
     }
 }</pre>
-</div></div><p>In such case OGNL cannot properly map which method to call when 
request is coming. This is do the OGNL limitation. To solve the problem don't 
use the same method's names through the hierarchy, you can simply change the 
action's method from&#160;<code>save()</code> 
to&#160;<code>saveAction()</code>&#160;and leaving annotation as is to 
allow&#160;<span style="line-height: 1.4285715;">call this action 
via&#160;</span><code style="line-height: 1.4285715;">/save.action</code><span 
style="line-height: 1.4285715;"> request.</span></p><h4 
id="Security-Accepted/Excludedpatterns"><span style="line-height: 
1.4285715;">Accepted / Excluded patterns</span></h4><p><span 
style="line-height: 1.4285715;">As from version 2.3.20 the framework provides 
two new interfaces which are used to accept / exclude param names and values 
-&#160;<a shape="rect" class="external-link" 
href="http://struts.apache.org/maven/xwork-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html";
 >AcceptedPatternsChecker</a> and&#160;<a shape="rect" class="external-link" 
 >href="http://struts.apache.org/maven/xwork-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html";>ExcludedPatternsChecker</a>
 > with default implementations. These two interfaces are used by&#160;<a 
 >shape="rect" href="parameters-interceptor.html">Parameters Interceptor</a> 
 >and&#160;<a shape="rect" href="cookie-interceptor.html">Cookie 
 >Interceptor</a> to check if param can accepted or must be excluded. If you 
 >were using&#160;<code>excludeParams</code> previously please compare patterns 
 >used by you with these provided by the framework in default 
 >implementation.</span></p><h4 id="Security-StrictMethodInvocation"><span 
 >style="line-height: 1.4285715;">Strict Method Invocation</span></h4><p><span 
 >style="line-height: 1.4285715;">This mechanism was introduced in version 2.5. 
 >It allows control what methods can be accessed with the bang "!" operator via 
 ><a shape="rect" href="action-configuration.htm
 l">Dynamic Method Invocation</a>. Please read more&#160;in Strict Method 
Invocation section of&#160;<a shape="rect" 
href="action-configuration.html">Action Configuration</a>.</span></p></div>
+</div></div><p>In such case OGNL cannot properly map which method to call when 
request is coming. This is do the OGNL limitation. To solve the problem don't 
use the same method's names through the hierarchy, you can simply change the 
action's method from&#160;<code>save()</code> 
to&#160;<code>saveAction()</code>&#160;and leaving annotation as is to 
allow&#160;<span style="line-height: 1.4285715;">call this action 
via&#160;</span><code style="line-height: 1.4285715;">/save.action</code><span 
style="line-height: 1.4285715;"> request.</span></p><h4 
id="Security-Accepted/Excludedpatterns"><span style="line-height: 
1.4285715;">Accepted / Excluded patterns</span></h4><p><span 
style="line-height: 1.4285715;">As from version 2.3.20 the framework provides 
two new interfaces which are used to accept / exclude param names and values 
-&#160;<a shape="rect" class="external-link" 
href="http://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.htm
 l">AcceptedPatternsChecker</a> and&#160;<a shape="rect" class="external-link" 
href="http://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html";>ExcludedPatternsChecker</a>
 with default implementations. These two interfaces are used by&#160;<a 
shape="rect" href="parameters-interceptor.html">Parameters Interceptor</a> 
and&#160;<a shape="rect" href="cookie-interceptor.html">Cookie Interceptor</a> 
to check if param can accepted or must be excluded. If you were 
using&#160;<code>excludeParams</code> previously please compare patterns used 
by you with these provided by the framework in default 
implementation.</span></p><h4 id="Security-StrictMethodInvocation"><span 
style="line-height: 1.4285715;">Strict Method Invocation</span></h4><p><span 
style="line-height: 1.4285715;">This mechanism was introduced in version 2.5. 
It allows control what methods can be accessed with the bang "!" operator via 
<a shape="rect" href="action-configuration
 .html">Dynamic Method Invocation</a>. Please read more&#160;in Strict Method 
Invocation section of&#160;<a shape="rect" 
href="action-configuration.html">Action Configuration</a>.</span></p></div>
         </div>
 
         

Modified: websites/production/struts/content/docs/struts-2-blank-archetype.html
==============================================================================
--- websites/production/struts/content/docs/struts-2-blank-archetype.html 
(original)
+++ websites/production/struts/content/docs/struts-2-blank-archetype.html Fri 
Mar 11 11:02:24 2016
@@ -149,11 +149,11 @@ under the License.
 <p><strong>Contents</strong></p>
 
 <style type="text/css">/*<![CDATA[*/
-div.rbtoc1456773702121 {padding: 0px;}
-div.rbtoc1456773702121 ul {list-style: none;margin-left: 0px;padding-left: 
1em;}
-div.rbtoc1456773702121 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1453884536773 {padding: 0px;}
+div.rbtoc1453884536773 ul {list-style: none;margin-left: 0px;padding-left: 
1em;}
+div.rbtoc1453884536773 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style><div class="toc-macro rbtoc1456773702121">
+/*]]>*/</style><div class="toc-macro rbtoc1453884536773">
 <ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a 
shape="rect" 
href="#Struts2BlankArchetype-CreatingOurblank-archetypeProject">Creating Our 
blank-archetype Project</a>
 <ul class="toc-indentation"><li><span class="TOCOutline">1.1</span> <a 
shape="rect" href="#Struts2BlankArchetype-Stagingrepository">Staging 
repository</a></li></ul>
 </li><li><span class="TOCOutline">2</span> <a shape="rect" 
href="#Struts2BlankArchetype-ProjectStructure">Project Structure</a>

Modified: websites/production/struts/content/docs/struts-2-maven-archetypes.html
==============================================================================
--- websites/production/struts/content/docs/struts-2-maven-archetypes.html 
(original)
+++ websites/production/struts/content/docs/struts-2-maven-archetypes.html Fri 
Mar 11 11:02:24 2016
@@ -143,11 +143,11 @@ under the License.
 <p><strong>Contents</strong></p>
 
 <style type="text/css">/*<![CDATA[*/
-div.rbtoc1456773703153 {padding: 0px;}
-div.rbtoc1456773703153 ul {list-style: none;margin-left: 0px;padding-left: 
1em;}
-div.rbtoc1456773703153 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1453884535519 {padding: 0px;}
+div.rbtoc1453884535519 ul {list-style: none;margin-left: 0px;padding-left: 
1em;}
+div.rbtoc1453884535519 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style><div class="toc-macro rbtoc1456773703153">
+/*]]>*/</style><div class="toc-macro rbtoc1453884535519">
 <ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a 
shape="rect" 
href="#Struts2MavenArchetypes-Quickstart">Quickstart</a></li><li><span 
class="TOCOutline">2</span> <a shape="rect" 
href="#Struts2MavenArchetypes-AvailableArchetypes">Available Archetypes</a>
 <ul class="toc-indentation"><li><span class="TOCOutline">2.1</span> <a 
shape="rect" 
href="#Struts2MavenArchetypes-TheBlankConventionArchetype(struts2-archetype-convention)">The
 Blank Convention Archetype (struts2-archetype-convention)</a></li><li><span 
class="TOCOutline">2.2</span> <a shape="rect" 
href="#Struts2MavenArchetypes-TheBlankArchetype(struts2-archetype-blank)">The 
Blank Archetype (struts2-archetype-blank)</a></li><li><span 
class="TOCOutline">2.3</span> <a shape="rect" 
href="#Struts2MavenArchetypes-TheStarterArchetype(struts2-archetype-starter)">The
 Starter Archetype (struts2-archetype-starter)</a></li><li><span 
class="TOCOutline">2.4</span> <a shape="rect" 
href="#Struts2MavenArchetypes-TheAngularJSArchetype(struts2-archetype-angularjs)">The
 AngularJS Archetype (struts2-archetype-angularjs)</a></li><li><span 
class="TOCOutline">2.5</span> <a shape="rect" 
href="#Struts2MavenArchetypes-ThePortletBlankArchetype(struts2-archetype-portlet)">The
 Portlet Blank Archetype (struts2-ar
 chetype-portlet)</a></li><li><span class="TOCOutline">2.6</span> <a 
shape="rect" 
href="#Struts2MavenArchetypes-ThePortletDatabaseArchetype(struts2-archetype-dbportlet)">The
 Portlet Database Archetype (struts2-archetype-dbportlet)</a></li><li><span 
class="TOCOutline">2.7</span> <a shape="rect" 
href="#Struts2MavenArchetypes-ThePluginArchetype(struts2-archetype-plugin)">The 
Plugin Archetype (struts2-archetype-plugin)</a></li></ul>
 </li><li><span class="TOCOutline">3</span> <a shape="rect" 
href="#Struts2MavenArchetypes-CreatinganApplicationUsingaMavenArchetype">Creating
 an Application Using a Maven Archetype</a>

Modified: 
websites/production/struts/content/docs/struts-2-spring-2-jpa-ajax.html
==============================================================================
--- websites/production/struts/content/docs/struts-2-spring-2-jpa-ajax.html 
(original)
+++ websites/production/struts/content/docs/struts-2-spring-2-jpa-ajax.html Fri 
Mar 11 11:02:24 2016
@@ -145,11 +145,11 @@ under the License.
 <div class="confluence-information-macro 
confluence-information-macro-tip"><span class="aui-icon aui-icon-small 
aui-iconfont-approve confluence-information-macro-icon"></span><div 
class="confluence-information-macro-body"><p>Following this tutorial verbatim 
will require use of a Struts 2 deployment greater than 2.0.3</p></div></div>
 
 <style type="text/css">/*<![CDATA[*/
-div.rbtoc1456773601716 {padding: 0px;}
-div.rbtoc1456773601716 ul {list-style: none;margin-left: 0px;}
-div.rbtoc1456773601716 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1453884419616 {padding: 0px;}
+div.rbtoc1453884419616 ul {list-style: none;margin-left: 0px;}
+div.rbtoc1453884419616 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style><div class="toc-macro rbtoc1456773601716">
+/*]]>*/</style><div class="toc-macro rbtoc1453884419616">
 <ul class="toc-indentation"><li><a shape="rect" 
href="#Struts2+Spring2+JPA+AJAX-Prerequisites">Prerequisites</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#Struts2+Spring2+JPA+AJAX-Tomcat">Tomcat</a></li><li><a shape="rect" 
href="#Struts2+Spring2+JPA+AJAX-MySql">MySql</a></li></ul>
 </li><li><a shape="rect" href="#Struts2+Spring2+JPA+AJAX-Getthecode">Get the 
code</a>

Modified: websites/production/struts/content/docs/struts-next.html
==============================================================================
--- websites/production/struts/content/docs/struts-next.html (original)
+++ websites/production/struts/content/docs/struts-next.html Fri Mar 11 
11:02:24 2016
@@ -125,12 +125,12 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h3 
id="StrutsNext-/*&lt;![CDATA[*/div.rbtoc1456773756987{padding:0px;}div.rbtoc1456773756987ul{list-style:disc;margin-left:0px;}div.rbtoc1456773756987li{margin-left:0px;padding-left:0px;}/*]]&gt;*/#StrutsNext-Whatshouldbeimproved/changed#StrutsNext-Whatshouldbeimprove"><style
 type="text/css">/*<![CDATA[*/
-div.rbtoc1456773756987 {padding: 0px;}
-div.rbtoc1456773756987 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1456773756987 li {margin-left: 0px;padding-left: 0px;}
+            <div id="ConfluenceContent"><h3 
id="StrutsNext-/*&lt;![CDATA[*/div.rbtoc1453884611957{padding:0px;}div.rbtoc1453884611957ul{list-style:disc;margin-left:0px;}div.rbtoc1453884611957li{margin-left:0px;padding-left:0px;}/*]]&gt;*/#StrutsNext-Whatshouldbeimproved/changed#StrutsNext-Whatshouldbeimprove"><style
 type="text/css">/*<![CDATA[*/
+div.rbtoc1453884611957 {padding: 0px;}
+div.rbtoc1453884611957 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1453884611957 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></h3><div class="toc-macro rbtoc1456773756987">
+/*]]>*/</style></h3><div class="toc-macro rbtoc1453884611957">
 <ul class="toc-indentation"><li><a shape="rect" 
href="#StrutsNext-"></a></li></ul>
 <ul><li><a shape="rect" href="#StrutsNext-Whatshouldbeimproved/changed">What 
should be improved / changed</a></li><li><a shape="rect" 
href="#StrutsNext-DevelopmentplanofStruts3">Development plan of Struts 3</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#StrutsNext-M1(akaStruts2.5)">M1 (aka Struts 2.5)</a></li><li><a 
shape="rect" href="#StrutsNext-M2(alphaStruts3)">M2 (alpha Struts 
3)</a></li><li><a shape="rect" href="#StrutsNext-M3(alphaStruts3)">M3 (alpha 
Struts 3)</a></li><li><a shape="rect" href="#StrutsNext-M4(beta1Struts3)">M4 
(beta 1 Struts 3)</a></li></ul>



Reply via email to