struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Husted" <hus...@apache.org>
Subject Re: JSP EL in struts2 tags
Date Mon, 03 Dec 2007 11:14:11 GMT
As someone mentioned, do we want to bundle both under different URIs?

We could keep the paranoid/safe one as the default, and use a URI like
struts-tags-rt for the one that allows all runtime expressions. To use
the other, we can change one line at the top of the file to "opt in".

-Ted.


On Dec 3, 2007 2:48 AM, Don Brown <mrdon@twdata.org> wrote:
> On 12/3/07, Ing. Andrea Vettori <mail@andreavettori.com> wrote:
> > I'm happy to know that a complete solution is being planned/developed.
> > I just say that if the security problem is caused only by bad
> > programming practice, removing EL evaluation into S2 tld is causing
> > upgrading problems to many well-written applications.
>
> It isn't so much bad programming practices as unintentionally opening
> your application up to abuse.  If you are confident that your
> application isn't vulnerable, feel free to replace the struts-tags.tld
> in the struts jar with one that allows expressions.  The 10 minutes
> that will take will probably save you tons of time.
>
> Don

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message