struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Germuska <>
Subject Re: Validation Security Hole?
Date Thu, 26 Jan 2006 09:52:50 GMT
>On 1/22/06, Craig McClanahan wrote:
>>  I doubt there is any clean backwards-compatible approach to dealing with
>>  this ... the best thing I can think of is to switch the default behavior to
>>  not listening to the cancel button *unless* a context init parameter is set,
>>  which says (in effect) "this application knows how to deal with cancel
>>  semantics in *all* of its actions".  But I think we should do *something*
>>  about it.
>IMO we should at a minimum do Craig's suggestion of a global option to
>turn this behaviour on/off. If we then also want to provide more fine
>grained control, then my preference is the first option in Laurie's
>list - add a new attritbute to the action mapping.

My understanding of this approach is that you get both for one.  If 
you make the default value for the new action mapping attribute 
"don't allow cancelling" then you have globally turned it off until 
any action mappings have that attribute set..

An additional, independent parameter to turn it off just seems like 
it will be confusing.

Joe Germuska *    

"You really can't burn anything out by trying something new, and
even if you can burn it out, it can be fixed.  Try something new."
	-- Robert Moog

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message