Change InternationalizationCheck from JSTL '<fmt:message key>' format? - internationalization

In the SonarQube Web Plugin, the InternationalizationCheck rule searches for internationalization in the form of <fmt:message key=...>. Is there any way to change this? All my internationalization is in the format <f: message key=...>. I assume this was alterable in the 'attributes' section, but I haven't figured out what exactly that section is for, or what to put there.
For example, currently the rule searches for any internationalization in the form of
<fmt:message key="login.label.username" />
As described in the rule's noncompliant/compliant code example. However, in my application, internationalization takes the form of
<f:message key="login.label.username" />
Which is incorrectly labelled as an error by the rule. Nothing in the InternationalizationCheck's source code shows how it explicitly looks for the that format, so I need to find a way to make it accept my format as an acceptable line of code instead of giving it a false positive.
Is there any way to specify for the InternationalizationCheck to look for a different format of Internationalization, other than the JSTL taglib prefix of 'fmt'?

Related

org.thymeleaf.exceptions.TemplateProcessingException: Only variable expressions returning numbers or booleans are allowed in this context

I have been using thymeleaf th:onclick attribute to call javascript function with parameters as below
th:onclick="|myFunction('${parameter1}')|"
But with thymeleaf 3.1.10 this has been removed. and they are suggesting to use th:data attribute.
I however found workaround on as below and both of them are working perfectly.
th:attr="onclick=|myFunction('${parameter1}')|"
th:onclick="#{myFunction('${parameter1}')}">
Now i am not sure if these workarounds are correct way to do things and if yes which one is the better way.
The first will work like you want -- however, you are bypassing the the security restriction and now your pages are vulnerable to javascript injection (which is the original reason this change was made).
The second one just plain doesn't work. It doesn't expand out the variable ${parameter1}, instead just encoding it as a url like this:
onclick="myFunction?$%7Bparameter1%7D"
You really should be doing it as shown on the page.
th:data-parameter1="${parameter1}" onclick="myFunction(this.getAttribute('data-parameter1'));"

Validating Xml Chef template

Google hasn't helped me with this:
We just started using Chef deployment. (And I'm embarrassingly new to it)
I have a web.config template that will have variables set by a data bag.
Using some free online tools, I was able to find and fix syntax problems in my data bag. JSONLint
Is there a way to check the template itself?
Online Xml validation tools like this one fail once a Ruby tag <% is found... and this makes sense because it's not valid Xml. Is there a tool/way to validate the Xml in a template so that the Ruby tags are valid?
All I want to know is if syntactically speaking, the file is valid. Logic errors would be dealt with another way... if that makes sense.
You could substitute the values that are supposed to be set by your <%=...%> tags and validate that since your final .xml file won't contain any of those tags if you did your template correct.

validateRequest=true and requestValidationMode="4.0" lets html through

I have a Web Forms website on IIS7 and .NET 4.5.1 and I want the http requests to be validated using Microsoft's Request validation. The web.config default values for validateRequest and requestValidationMode are supposed to be "true" and "4.0" respectively and that should be what I want (I tried specifying them just in case).
<pages validateRequest="true">
<httpRuntime requestValidationMode="4.0" />
For some reason, when I input an html tag (tried < script > and < a >) in a form then submitting it, I get the expected Potentially Dangerous request error, but the tag gets saved in the database. Why did it go through? I simply take the textbox's Text value as is and send it to my DB, but I expect the error to stop that from happening.
When I tried setting:
<httpRuntime requestValidationMode="2.0" />
The error was the same, but this time, the tag didn't end up in the database, which is what I want.
I would like to understand why the lesser safe validation mode "2.0" is the only one that actually prevents the request from going through in my case, which doesn't seem to make much sense. There must be something I'm missing, please let me know if I should provide other information.
I have found a solution to my own problem. It would appear that Microsoft's documentation about requestValidationMode states that all values above "4.0" is interpreted as "4.0", but that isn't true. Reading this interesting page, I have found out there's a "4.5" value that is valid and does exactly what I wanted.

rel="canonical" html5 unable to validate

Should the link attribute rel="canonical" validate against html5?
It is the first time I am using this and I am getting the following validation errors:
"Bad value canonical for attribute rel on element link: Keyword canonical is not registered."
It kind of suggests it shouldnt although I cant find any concrete documentation on this.
Edit - Here is the line that is throwing the validator off:
<link rel="canonical" href="http://dev.local/" />
I have tried it with and without the closing slash
Validator is marking canonical invalid because canonical is a recent addition (as Gutmann pointed out) and the validation tool does not update real time. The W3C tells us why canonical is on the Micorformats wiki but does not validate. It is because the updates of wiki data in the validator are manual.
You will see this in the validation reporting:
"A whitespace-separated list of link types listed as allowed on in the HTML specification or listed as an allowed on on the Microformats wiki without duplicate keywords in the list. Note that updates of the wiki data in the validator are manual and do not happen in real time"
This will validate on their next manual update.
There is no definition for the canonical rel in the HTML5 spec, but it does also say that:
The rel attribute has no default value. If the attribute is omitted or if none of the values in the attribute are recognized by the user agent, then the document has no particular relationship with the destination resource other than there being a hyperlink between the two.
So, it's not technically conforming HTML5, but it will simply be ignored by UAs which don't understand it.
Use this data-rel
<link data-rel="canonical" href="http://dev.local/" />
In error description they do reference Microformats wiki as list of valid link types, their list contains "canonical" link type.
I believe that this a temporary bug in validator because it reported error for rel="canonical" only on my HTML5 website, but not on my other XHTML website.
From what I can gather from the output of the validator and the part of the spec that defines the link's rel attribute I'd say the validator is marking the document as invalid due to the "canonical" type being only a proposal and not part of the official linkTypes right now.
At the same time that page also says ...
Types defined as extensions in the
Microformats wiki existing-rel-values
page with the status "proposed" or
"ratified" may be used with the rel
attribute on link, a, and area
elements in accordance to the "Effect
on..." field. [MFREL]
The validation message refers to this list of currently valid extensions to the "official catalog".
Up until June 2 this list did not contain the canonical link type so the validator was IMO correct in marking the document as invalid.
But now that the canonical type is is in the list of proposed types, I think this is just a matter of time before also the validator will recognize it :-)

how spring mvc tag works?

I am trying to write some kind of raw html to mimic what spring mvc tag produces after page rendering(and I do make them look exactly the same if you open them with a html element inspector). as I want to create dynamic input form using javascript. but it didn't work. it seems I had to use only what it offers: e.g. <form:input path="firstName" />.
to get the data binding working.
I thought the tag lib only help you to produce a html block that spring knows how to handle them in backend (action). from a web http perspective. what else it can send beyond a bunch of form data, and they should send the same thing. so I am really curious to learn what magic thing the tag lib dose beyond producing a html block.
the other thing I would like to know is where the model object is being hold when the form is being submit to a matched action. you know, you can get the model attribute by using #modelAttribute as the input parameter. is it in the original request object? or in the ActionRequest to which the dispatcherServlet build and put it. or even somewhere else?
thanks in advance.
I got it figured out. the raw html just works as spring tag does. as long as you are in the form tag block. you are okay to use raw html such as
<input type="text" id="abc" name="abc"/> just make sure name reflect your bean attribute path.
id is not mandatory and is just helping you to identify the very element. I guess I missed something when I work with the raw html by the time I ask the question. hope this helps for guys working with raw html approach, especially in case of dynamic input creation.

Resources