Obviously the struts.jar needs to be upgraded - but in addtion Struts has changed its dependencies and you will need to deploy the new versions for Commons Bean Utils (1.7.0), Commons Digester (1.6) and Commons Validator (1.1.4). The correct versions of these jars are shipped in the lib directory in the binary distribution.
Addtionally, Struts no longer has a dependency on Commons Collections or Commons Lang, so unless you have other requirements for them, they no longer need to be deployed.
If you deploy the struts tag's tlds, then remember to deploy the new versions shipped with this version. If you don't you won't be able to use the new tag attributes added.
Upgrade to the new version of validator-rules.xml.
N.B. One of the changes in the new validator-rules.xml is that the Validation methods' signatures have changed to now include a Validator parameter.
A cross site scripting(XSS) vulnerability has been identified in Struts versions prior to 1.2.8. See StrutsXssVulnerability for more details.
The change for Bug 34027 has caused a problem with the JavaScript validation when in XHTML mode.
It has been reported in Bug 35127 and a fix applied to the nightly build.
Struts 1.2.7 added non-resource ActionMessage(s) and support for multiple bundles in Validator. However the <html:messages> tag only shows the first non-resource ActionMessage. This also affects the Validator's mutlitple bundle support which is implemented using non-resource ActionMessage(s).
The <html:errrors> tag is not affected by this issue and can be used as an alternative to <html:messages>.
See Bug 35833
CategoryHomepage StrutsUpgrade