That's what I wass looking for!!! :-)
Felipe Antonio Petrelli-3 wrote: > > Sorry if I come up now, but there is an effort to create a EL plugin > for Struts 2.1.x: > http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin/ > http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin-example/ > > If you want EL support back, please contribute to this sandboxed plugin. > > Antonio > > 2008/3/6, Andrea Vettori <[EMAIL PROTECTED]>: >> >> Il giorno 06/mar/08, alle ore 19:04, Dale Newfield ha scritto: >> >> >> > Andrea Vettori wrote: >> >> That's true but should't the app do some input checking ? >> > >> > What you're suggesting is that we make this framework vulnerable to >> > poorly written applications? I'd say the framework should be >> > written so that even poorly written applications can't compromise it. >> >> >> Ok but if protecting poorly written applications breaks good written >> applications at least I think the framework should be available in two >> version. >> Since I think it's about having two tlds for the struts tags, just >> write "EL kills" and let the users choose... >> >> >> > >> > >> >> It's the same as SQL injection... >> > >> > In fact, it's OGNL injection, and the way to avoid it is not to >> > evaluate user provided strings as OGNL expressions. Turning off EL >> > is part of how that's been accomplished. >> >> >> >> If one has EL enabled, do you think that escaping or removing OGNL >> syntax in http request variables is enought (assuming that there are >> no other ways to inject OGNL code into the app) ? >> >> >> >> -- >> Ing. Andrea Vettori >> Consulente per l'Information Technology >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Issue-WW-2107-question---Is-JSTL-disable-or-not--tp15830208p15884171.html Sent from the Struts - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]