struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Petrelli" <>
Subject Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)
Date Mon, 16 Jul 2007 14:09:20 GMT
2007/7/16, Ing. Andrea Vettori <>:
> What about expression like "%{foo} %{bar}" that work with the current
> version but don't work using the loopCounter patch ?
> I don't think we need them but who knows...

I think that recursion is a false problem: it's up to the developer to
control it (I don't think that JSP EL controls it, correct me if I am
wrong). Eventually a log message can be written, but preventing it is not a
solution, because a particular case (such as circular reference) will be
always present.
The "real" problem is that a user should not be allowed to execute such OGNL


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message