2014-11-07 16:44 GMT+01:00 Volker Krebs <[email protected]>: > Yes my workaround was to directly exclude orderinfo param. > > I don't know if it is broken. But when the behavior of > <param name="acceptParamNames">param1</param> > should be to ignore every parameter but param1, then it's not working as > expected.
I found where the problem is. Right now "acceptParamNames" are added to existing ACCEPTED_PATTERNS defined in DefaultAcceptedPatternsChecker - previously "acceptParamNames" were overriding default patterns from ACCEPTED_PATTERNS. You can still override the default patterns with "struts.override.excludedPatterns" and then use "acceptParamNames" to relax the those global patterns. Or you can implement your own version of AcceptedPatternsChecker. Basically I have to update docs about that. It was introduced by that PR -> https://github.com/apache/struts/pull/11 The question is if this is a better solution? You have a lot of options to check accepted params but maybe it's too complicated? Let me know what you think. Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
