struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laurie Harper <lau...@holoweb.net>
Subject Re: Attribute name in tag param cannot be dynamic in struts 2.0.11
Date Wed, 02 Jan 2008 21:04:38 GMT
Xibin Liu wrote:
> In tld of 2.0.11:
> 
>   <tag>
>     <name>param</name>
>     <tag-class>org.apache.struts2.views.jsp.ParamTag</tag-class>
>     <body-content>JSP</body-content>
>     <description><![CDATA[Parametrize other tags]]></description>
>     <attribute>
>       <name>name</name>
>       <required>false</required>
>       <rtexprvalue>false</rtexprvalue>
>       <description><![CDATA[Name of Parameter to set]]></description>
>     </attribute>
> 
> 
> In tld of 2.0.9:
> 
>   <tag>
>     <name>param</name>
>     <tag-class>org.apache.struts2.views.jsp.ParamTag</tag-class>
>     <body-content>JSP</body-content>
>     <description><![CDATA[Parametrize other tags]]></description>
>     <attribute>
>       <name>name</name>
>       <required>false</required>
>       <rtexprvalue>true</rtexprvalue>
>       <description><![CDATA[Name of Parameter to set]]></description>
>     </attribute>
> 
> Is the change made this way intentionally?
> Jps pages working under 2.0.9 have to be changed before being imported
> to 2.0.11.

It's not very clearly called out in the release notes, but yes, this is 
an intentional change. The reason is that there is a security hole with 
rtexprvalue set to true. I can't find the relevant JIRA ticket off hand, 
but hopefully someone else will be able to supply that.

L.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message