struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ing. Andrea Vettori" <m...@andreavettori.com>
Subject Re: JSP EL in struts2 tags
Date Fri, 30 Nov 2007 16:40:42 GMT

Il giorno 30/nov/07, alle ore 17:22, Brian Pontarelli ha scritto:

> Andrea Vettori wrote:
>> Already posted on user list but maybe more appropriate here...
>>
>>
>> Hi,
>>
>> It's long time I was away from this list.
>>
>> I've found with big surprise that JSP EL is not available in S2 tags
>> anymore. I've looked at the release notes and found it was because  
>> of a
>> security problem similar to one I've discovered some time ago.
>>
>> What I haven't understand is :
>>
>> If in the JSP EL I use ONLY page variables into S2 tags (that is  
>> don't use
>> request variables) do the problem still exist ?
>>
> I doubt it because the issue is a user passing in a request  
> parameter that contains an OGNL expression (from what I understand).  
> However, I think this and many other things warrant a full  
> discussion of OGNL, JSP EL, the Unified EL and figuring out how to  
> reduce the difficulty for users getting into S2 and for making  
> everything more consistent overall. One of the big items is that a  
> mixture of EL and OGNL is somewhat painful and confusing. With this  
> change it also makes upgrading older applications very difficult. In  
> addition, use of many expression languages makes maintenance more  
> difficult when the page uses many JSP taglibs in addition to the S2  
> taglibs.



It seems to me that if the problem is triggered only when using a  
request parameter inside EL than EL should be on by default on s2 tags  
because using request parameters that way is bad practice (should'nt  
we use actions getters/setters and than call a jsp view?)

I also think that this mixture of OGNL and EL is confusing and if I  
must choose to have only one I'll choose EL that's a standard and is  
supported on many other taglibs.


--
Ing. Andrea Vettori
Consulente per l'Information Technology



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message