Andrea Vettori wrote:
can someone explain why it's bad practice to do something like this in a
jsp page :
<sometaglib:sometag var="result"/>
<s:hidden name="property" value="${result}”/>
Because the value of ${result} will then be evaluated as an OGNL expression.
So let's say this sometaglib:sometag tag finds the current user's
username and sticks it in the var attribute.
If I can change my username to "[EMAIL PROTECTED]@exit()}", ${result}
will evaluate to "[EMAIL PROTECTED]@exit(-1)}" which will then be
evaluated as OGNL, taking down your application server.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
