struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Petrelli" <antonio.petre...@gmail.com>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 13:18:37 GMT
2007/7/16, Aram Mkhitaryan <aram.mkhitaryan@googlemail.com>:
>
> everywhere in s2 tags the user submitted values should not be evaluated
> till
> it is not requested
> with a method call like "eval(ognlString)" otherwise it should not work



I disagree. Whatever the user types in the fields, it MUST NOT be evaluated,
otherwise we will always have a security issue.
The only thing that could be done is type conversion (e.g. String->int).

Antonio

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message