javascript - Multiple Submit Buttons Security Risk -

for reasons, need create form 2 submit buttons going call different actions after submission.

i found following example in https://struts.apache.org/docs/multiple-submit-buttons.html

<s:form method="post" action="mysubmitaction">     <s:submit value="submit"/>     <s:submit value="clear" action="myclearaction"/> </form> 

as project using struts 2.3.16.3, struts.mapper.action.prefix.enabled = true needed.

however, there risk enable in struts 2.3.16.3? share same security problem in 2.3.15.2?

if yes, mind providing alternatives make multiple submit buttons work on single form? if-else solution not preferred.

the vulnerabilities discovered in versions struts 2.0.0 - struts 2.3.15.2 related ognl injection attack. in fact action: prefix opens door kind of attacks.

previously it's discovered in s2-016, fixed version 2.3.15.1. lately s2-018 introduced , disabled action: prefix. recommended upgrade 2.3.15.3.

this means using action: prefix discouraged , can enable in on own risk. in s2-019 dmi disabled default too, can't use method: prefix because works if dmi enabled.

these restrictions made side effect on multiple button usage action or method attributes used bind s:submit buttons action other in s:form action attribute. use multiple buttons execute own methods of action class can pass parameter holds method name. hidden field or submit field, etc.

when execute method called information should available , can use java call method name. approach popular use javascript modify form's action attribute in onclick event handler before form submitted.

<s:form name="myform" method="post" action="mysubmitaction" >     <s:submit value="submit"/>     <s:submit value="clear" onclick="myclearaction()"/> </form>   <script>    function myclearaction(){      document.forms["myform"].action = "<s:url action='myclearaction' />";    } </script>