What do you define as "a user should not be allowed to execute such OGNL
code!"? There are times that I want to call a static method and use the
results. The problem to me (and as Don pointed out), is that there is
malicious code stored in the database that was entered by users - and is
a type of XSS attack.
The other option is that a hacker as access to your web app file system
and is changing a template. If this is the case, my personal feeling is
that you should be glad they are only changing templates and not doing a
number of other things :-)
/Ian
Antonio Petrelli wrote:
2007/7/16, Ing. Andrea Vettori <[EMAIL PROTECTED]>:
What about expression like "%{foo} %{bar}" that work with the current
version but don't work using the loopCounter patch ?
I don't think we need them but who knows...
I think that recursion is a false problem: it's up to the developer to
control it (I don't think that JSP EL controls it, correct me if I am
wrong). Eventually a log message can be written, but preventing it is
not a
solution, because a particular case (such as circular reference) will be
always present.
The "real" problem is that a user should not be allowed to execute
such OGNL
code!
Antonio
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
