Hi all, As it turns out we have a pretty big security hole in JSF 2.x (myfaces and mojarra).
Please check out my blog entry for further infos: http://www.jakobk.com/2011/11/jsf-value-expression-injection-vulnerability/ @leo: can you take care of the bug? Regards, Jakob -- Jakob Korherr blog: http://www.jakobk.com twitter: http://twitter.com/jakobkorherr work: http://www.irian.at