struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeromy Evans <>
Subject Re: OGNL and parameters
Date Thu, 17 Jul 2008 04:05:43 GMT
Musachy Barroso wrote:
> Should we continue to use OGNL for parameter binding? This creates so
> many possible security holes, in exchange for pretty much nothing,
> when parameter names should be simple (indexing + the old A.B.C
> notation).
> Are there any uses cases where the full OGNL power is needed, for
> parameter binding?
> musachy
I haven't seen any obstacles to a change like that. It would be nice if 
we could reuse a param binding implementation with type-conversion from 
somewhere else rather reinvent another.

It's a shame though; the current approach is logical if it wasn't so 
open to clever exploits.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message