struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Newton <>
Subject Re: [S2 V2.0.14] <s:param> value attribute has rtexprvalue=false - shouldn't it be rtexprvalue=true?
Date Wed, 17 Dec 2008 11:45:24 GMT
--- On Wed, 12/17/08, Robert Graf-Waczenski wrote:
> What is the reasoning behind restricting the value=
> attribute to non-runtime values only?

Security issues: since JSP EL/rtexprs are evaluated first, if they evaluate to a valid OGNL
expression it's possible to end up with evil values that might not be intended.

> How would one create a url with multiple url parameters?

<s:url ...>


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message