Hello James, James Yong <jamesy...@apache.org> writes:
> Understand the intent of checkSecureParameter function is to avoid sensitive > information > in the URL during POST method. A proposal is made to provide an > attribute (i.e. allow-query-string-for-service-event) to allow url > parameters / query string for certain request. Shouldn't the value for > this attribute be false, instead of true, when no value is specified > for the attribute? What would be required before discussing the details of the proposal is a detailed scenario demonstrating that in the context of OFBiz event handlers accepting query parameters from a HTTP request is less secure than accepting only body parameters. -- Mathieu Lirzin GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37
