On 8/21/06, Don Brown <[EMAIL PROTECTED]> wrote:
I know that the overriding concern is "security".
Here's the thing. Regardless of what we think, there are independant security organizations that review security issues for high profile frameworks. If we don't control the bang with a switch that defaults to off, we are liable to get pinged for this. Struts 1 was pinged for the way we handled "cancel", and we had to come up with a fix. I doubt that trying to explain away a security risk by saying "Altassian doesn't think it's a problem" is going to result in the security alert being lowered. There is a also a fundamental ASF principle that "Security is a mandatory feature." Regardless of whether we end up saying using the ! alias is acceptable, or even preferred, we should retain the switch that turns it on, so that teams make an informed decision as to its use. -Ted. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
