struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Newton <newton.d...@yahoo.com>
Subject Re: [S2 V2.0.14] <s:param> value attribute has rtexprvalue=false - shouldn't it be rtexprvalue=true?
Date Wed, 17 Dec 2008 11:45:24 GMT
--- On Wed, 12/17/08, Robert Graf-Waczenski wrote:
> What is the reasoning behind restricting the value=
> attribute to non-runtime values only?

Security issues: since JSP EL/rtexprs are evaluated first, if they evaluate to a valid OGNL
expression it's possible to end up with evil values that might not be intended.

> 
> How would one create a url with multiple url parameters?

<s:url ...>
  <s:param.../>
  <s:param.../>
</s:url>

Dave


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message