2007/7/16, Ian Roughley <[EMAIL PROTECTED]>:
What do you define as "a user should not be allowed to execute such OGNL code!"? There are times that I want to call a static method and use the results. The problem to me (and as Don pointed out), is that there is malicious code stored in the database that was entered by users - and is a type of XSS attack.
Sorry, maybe I used the wrong terms. Data entered by users (i.e. people that uses the application) must not be evaluated. A developer (i.e. a person that maintains the application) can do almost anything. The other option is that a hacker as access to your web app file system
and is changing a template. If this is the case, my personal feeling is that you should be glad they are only changing templates and not doing a number of other things :-)
This is exactly what the security bulletin addresses. And, personally, I hope that those who are using Struts 2/WebWork in their applications do not receive much harm... Antonio