https://issues.apache.org/bugzilla/show_bug.cgi?id=57441
--- Comment #4 from Mark Thomas <ma...@apache.org> --- (In reply to Konstantin Kolinko from comment #3) > Is it at all possible to reliably validate functions at compile time? You are right. As of EL 3.0 this is no longer possible. > Maybe whitelist functions that have name only with no prefix? I think that is the only option at this point. In fact, I can't see any other option that would work because of the point you make below: > BTW, it is possible to use javax.el.ImportHandler.importStatic() to declare > a function by importing a static method of a class. An example of > manipulating ImportHandler at run time is in bug 57142. If it is > manipulated at run time, it means that the information is not available at > compile time to perform validation. > > https://issues.apache.org/bugzilla/show_bug.cgi?id=57142#c1 Hmm. If we have no choice but to whitelist functions with no prefix then there might not be a need for the switch to the full EL parser. I think it is worth raising this with the JSP maint lead. I'll do that shortly. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
