That's true but should't the app do some input checking ?
It's the same as SQL injection...
Il giorno 06/mar/08, alle ore 18:37, Dale Newfield ha scritto:
Andrea Vettori wrote:
can someone explain why it's bad practice to do something like this
in a jsp page :
<sometaglib:sometag var="result"/>
<s:hidden name="property" value="${result}”/>
Because the value of ${result} will then be evaluated as an OGNL
expression.
So let's say this sometaglib:sometag tag finds the current user's
username and sticks it in the var attribute.
If I can change my username to "[EMAIL PROTECTED]@exit()}", $
{result} will evaluate to "[EMAIL PROTECTED]@exit(-1)}" which will
then be evaluated as OGNL, taking down your application server.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
