Adds a tip to use custom error page or disable DMI

commit: 4443c9f338720f7027028cdc7d222af612058c0c [log] [tgz]
author: Lukasz Lenart <lukaszlenart@apache.org> Sun Nov 10 13:21:57 2019 +0100
committer: Lukasz Lenart <lukaszlenart@apache.org> Sun Nov 10 13:21:57 2019 +0100
tree: 2b5042905e7c163e5ad97543bcb7e9bf56d235a9
parent: 842886766edca7aa38420ff88e46551b9ae0654e [diff]
diff --git a/source/security/index.md b/source/security/index.md
index 44f73f7..6046946 100644
--- a/source/security/index.md
+++ b/source/security/index.md

@@ -150,6 +150,30 @@
 
 The safest option is to use Struts Tags instead.
 
+### Define custom error pages
+
+As mentioned in [S2-006](https://cwiki.apache.org/confluence/display/WW/S2-006) it's a good practicse to define your own 
+error pages. This avoids exposing users to XSS attacks as Struts does not escape action's names in automatically 
+generated error pages.
+
+You can eaither disable [DMI](../core-developers/action-configuration#dynamic-method-invocation)
+
+```xml
+<constant name="struts.enable.DynamicMethodInvocation" value="false" />
+``` 
+
+or define an error page
+
+```xml
+<global-results>
+  <result name="error">/error_page.jsp</result>
+</global-results>
+ 
+<global-exception-mappings>
+  <exception-mapping exception="java.lang.Exception" result="error"/>
+</global-exception-mappings>
+```
+
 ## Internal security mechanism
 
 The Apache Struts 2 contains internal security manager which blocks access to particular classes and Java packages -
commit	4443c9f338720f7027028cdc7d222af612058c0c	[log] [tgz]
author	Lukasz Lenart <lukaszlenart@apache.org>	Sun Nov 10 13:21:57 2019 +0100
committer	Lukasz Lenart <lukaszlenart@apache.org>	Sun Nov 10 13:21:57 2019 +0100
tree	2b5042905e7c163e5ad97543bcb7e9bf56d235a9
parent	842886766edca7aa38420ff88e46551b9ae0654e [diff]