Sorry if I come up now, but there is an effort to create a EL plugin for Struts 2.1.x: http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin/ http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin-example/
If you want EL support back, please contribute to this sandboxed plugin. Antonio 2008/3/6, Andrea Vettori <[EMAIL PROTECTED]>: > > Il giorno 06/mar/08, alle ore 19:04, Dale Newfield ha scritto: > > > > Andrea Vettori wrote: > >> That's true but should't the app do some input checking ? > > > > What you're suggesting is that we make this framework vulnerable to > > poorly written applications? I'd say the framework should be > > written so that even poorly written applications can't compromise it. > > > Ok but if protecting poorly written applications breaks good written > applications at least I think the framework should be available in two > version. > Since I think it's about having two tlds for the struts tags, just > write "EL kills" and let the users choose... > > > > > > > >> It's the same as SQL injection... > > > > In fact, it's OGNL injection, and the way to avoid it is not to > > evaluate user provided strings as OGNL expressions. Turning off EL > > is part of how that's been accomplished. > > > > If one has EL enabled, do you think that escaping or removing OGNL > syntax in http request variables is enought (assuming that there are > no other ways to inject OGNL code into the app) ? > > > > -- > Ing. Andrea Vettori > Consulente per l'Information Technology > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
