2007/7/5, Musachy Barroso <[EMAIL PROTECTED]>:
Implementing ParameterNameAware would solve the problem of someone tampering
the parameter name, but not entering %{} in the value. We need to prevent
both.
Prevent? I don't think that intercepting the possible malicious values
is a viable solution, there will be always an exploit that can bypass
it.
I think that values passed by the user must not be evaluated as an
OGNL expression, just like EL is not evaluated when entered by the
user.
Antonio
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
