Return-Path: Delivered-To: apmail-struts-user-archive@www.apache.org Received: (qmail 79592 invoked from network); 17 Dec 2008 11:46:03 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 17 Dec 2008 11:46:03 -0000 Received: (qmail 16219 invoked by uid 500); 17 Dec 2008 11:46:03 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 16193 invoked by uid 500); 17 Dec 2008 11:46:02 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 16178 invoked by uid 99); 17 Dec 2008 11:46:02 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Dec 2008 03:46:02 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [67.195.13.196] (HELO web110605.mail.gq1.yahoo.com) (67.195.13.196) by apache.org (qpsmtpd/0.29) with SMTP; Wed, 17 Dec 2008 11:45:48 +0000 Received: (qmail 76307 invoked by uid 60001); 17 Dec 2008 11:45:24 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Message-ID; b=D2lJdU7iuDS/vyBOPiaCFJawc02sQQFUsRzCXNDMgWe7Q3NTGwC0hAvQ3cBFdCWhP0p1AgZ83dqK+2f5nV9W6+7xDiKf+qBhOmQ4fC/MAV9ZbHOwAUk0ZZAlWX8RHx82OKsyX5Y75R/bgYlBYNaCls6eouiuJlPDGdAcaJzz4uU=; X-YMail-OSG: fQ49xrUVM1mlhHes.WgqlIgmUjav3KuNKdMS_xyMoNAIAgcQ1F2pEejzgKQO5APeVrM0Z9mX9nqW8D3n2NeXwGPcAd6iHysSP3xWBtJknlpyyWbLLHHPPmFuMm5d06GWBOePftGF0Cf.BgYBmo6CRJ5AvKKJXuEE0JqQ..1hJMPhQREwrmNb7vNq.5Sz Received: from [63.166.14.2] by web110605.mail.gq1.yahoo.com via HTTP; Wed, 17 Dec 2008 03:45:24 PST X-Mailer: YahooMailWebService/0.7.260.1 Date: Wed, 17 Dec 2008 03:45:24 -0800 (PST) From: Dave Newton Reply-To: newton.dave@yahoo.com Subject: Re: [S2 V2.0.14] value attribute has rtexprvalue=false - shouldn't it be rtexprvalue=true? To: Struts Users Mailing List In-Reply-To: <4948DB89.4010609@lsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <907893.76041.qm@web110605.mail.gq1.yahoo.com> X-Virus-Checked: Checked by ClamAV on apache.org --- On Wed, 12/17/08, Robert Graf-Waczenski wrote: > What is the reasoning behind restricting the value= > attribute to non-runtime values only? Security issues: since JSP EL/rtexprs are evaluated first, if they evaluate to a valid OGNL expression it's possible to end up with evil values that might not be intended. > > How would one create a url with multiple url parameters? Dave --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org