These are the notes for the Struts 2.3.27 28 distribution.
For prior notes in this release series, see Version Notes 2.3.20
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-core</artifactId> <version>2.3.27<28</version> </dependency> |
You can also use Struts Archetype Catalog like below
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<repositories>
<repository>
<id>apache.nexus</id>
<name>ASF Nexus Staging</name>
<url>https://repository.apache.org/content/groups/staging/</url>
</repository>
</repositories> |
Internal Changes
Possible XSS vulnerability in pages not using UTF-8 was fixed, read more details in S2-028- Prevents possible RCE when reusing user input in tag's attributes, see more details in S2-029
-
I18NInterceptornarrows selected locale to those available in JVM to reduce possibility of another XSS vulnerability, see more details in S2-030 - New
Configurationprovidertype was introduced - ServletContextAwareConfigurationProvider, see WW-4410 - Setting status code in
HttpHeadersisn't ignored anymore, see WW-4545 - Spring
BeanPostProcessor(s)are called only once to constructed objects., see WW-4554 - OGNL was upgraded to version 3.0.13, see WW-4562
- Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568
- A dedicated assembly with minimal set of jars was defined, see WW-4570
- Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
- Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
MessageStoreInterceptorwas refactored to usePreResultListenerto store messages, see WW-4605- A new annotation was added to support configuring Tiles -
@TilesDefinition, see WW-4606 - and many other small improvements, please see the release notes
...
| Note |
|---|
This release contains fix related to S2-028, S2-029 and S2-030 security bulletins, please read it carefully! |
Issue Detail
Issue List
Other resources
...