struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: [struts-dev] Re: Ultimate way to solve problems with Ognl
Date Fri, 23 May 2014 11:37:55 GMT
2014-05-23 10:28 GMT+02:00 Lukasz Lenart <lukaszlenart@apache.org>:
> 2014-05-23 10:19 GMT+02:00 Christoph Nenning <Christoph.Nenning@lex-com.net>:
>> what about these ?
>>
>> - javax.*
>
> +1
>
>> - org.apache.struts2.*
>> - com.opensymphony.xwork2.*
>
> won't work: #session, #request, #parameters, etc
>
> http://struts.apache.org/release/2.3.x/docs/ognl.html

And Ognl is used to set parameters on interceptors (like <param
name="excludeParams">...</param>)

>
>> At least in my applications I didn't ever need to call anything from
>> libraries, just code of the application itself.
>>
>> From that point of view we could even exclude the following. But that
>> might be too specific as default in struts:
>> - java.*
>> - org.*
>> - net.* (e.g. libraries hosted on source forge)
>> - com.google.*
>
> A bit too wide, but we can try - User can always use a different set
> of patterns :-)

Too broad... maybe add white-listening but how to discover user's classes ?


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message