struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Husted" <>
Subject Re: JSP EL in struts2 tags
Date Mon, 03 Dec 2007 11:14:11 GMT
As someone mentioned, do we want to bundle both under different URIs?

We could keep the paranoid/safe one as the default, and use a URI like
struts-tags-rt for the one that allows all runtime expressions. To use
the other, we can change one line at the top of the file to "opt in".


On Dec 3, 2007 2:48 AM, Don Brown <> wrote:
> On 12/3/07, Ing. Andrea Vettori <> wrote:
> > I'm happy to know that a complete solution is being planned/developed.
> > I just say that if the security problem is caused only by bad
> > programming practice, removing EL evaluation into S2 tld is causing
> > upgrading problems to many well-written applications.
> It isn't so much bad programming practices as unintentionally opening
> your application up to abuse.  If you are confident that your
> application isn't vulnerable, feel free to replace the struts-tags.tld
> in the struts jar with one that allows expressions.  The 10 minutes
> that will take will probably save you tons of time.
> Don

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message