Christian, as I said, I am OK with the view laying using OGNL. If JSPs are using that, I see no problem. But I should ask if the majority of vulnerabilities are from the view layer or from the processor/controller layer?
On Wed, Sep 4, 2013 at 10:20 AM, Christian Grobmeier <grobme...@gmail.com>wrote: > Am 04.09.13 16:34, schrieb Dave Newton: > > I'd looked in to replacing OGNL with MVEL, including the templating, but > it > > entailed a fairly extensive effort. > > > > Not saying it isn't worth it; personally I'd like to see a few other > > options and a simplification of the templates (and potential speedups). > I found Struts-Tags often rely on the com.opensymphony.xwork2.ognl > package (accessing the valuestack). My guess is, everything which access > the value stack is done with with OGNL. I think Validation bases on OGNL > too. > > > > > Dave > > > > > > > > On Wed, Sep 4, 2013 at 10:21 AM, Paul Benedict <pbened...@apache.org> > wrote: > > > >> Isn't it already "decoupled" since OGNL is a separate project? I mean, > of > >> course Struts 2 needs mediating code to support it, but how coupled is > it > >> really? > >> > >> Paul > >> > >> > >> On Wed, Sep 4, 2013 at 8:04 AM, Christian Grobmeier < > grobme...@gmail.com > >>> wrote: > >>> Folks, > >>> > >>> when researching on OGNL i found this link: > >>> https://cwiki.apache.org/confluence/display/S2WIKI/OGNL+replacement > >>> > >>> In 2008 Brian mentioned "Security risks keep appearing" along with OGNL > >>> and collected the places where we use OGNL. Given the recent events I > >>> thought it might be good to bring this up again. Please also note, I > >>> have helped with OGNLs incubation and I am also touchign it over in > >>> Commons land. My impression is OGNL is not easy to understand and there > >>> is not really much interest from other people to develop on it. > >>> > >>> Looking at this list I feel OGNL is pretty much tied to Struts. On the > >>> other hand we could start to slowly decouple the two. Not sure what we > >>> should use otherwise. > >>> > >>> Any feelings on that? > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > >>> For additional commands, e-mail: dev-h...@struts.apache.org > >>> > >>> > >> > >> -- > >> Cheers, > >> Paul > >> > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > > -- Cheers, Paul
