struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Newton <newton.d...@yahoo.com>
Subject Re: [struts] Escaping Characters in Struts Property Tag
Date Wed, 14 Nov 2007 16:16:51 GMT
Another issue, a more stylistic one, is that using
methods like this is barely better than scriptlets.
Some would argue that this type of work belongs on the
server side, especially if you're working with
non-programming designers (although some can be
trained to use a set of well-defined static methods
once they have the syntax).

d.

--- Dale Newfield <Dale@Newfield.org> wrote:

> chengas123 wrote:
> > Ahh, yes, that was my problem.  I'm afraid I
> wasn't expecting that.  I don't
> > really see how allowing static method access
> presents a security problem.  I
> > am opening myself up to any obvious risks by
> turning this on?
> 
> If someone submits a value in a form that you mirror
> back to them in a 
> place that might be evaluated by ognl, then
> "@System@exit(-1)" would be 
> a pretty evil risk, no?  I'm pretty certain that the
> most recent xwork 
> .jar prevents ognl evaluation while setting
> parameters from the request, 
> so the path that string must take to be destructive
> is now much more 
> convoluted.
> 
> -Dale
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message