Hi, in the older versions 1.0 - 1.2.8 (i think), there was a security issue with the cancel key request parameter being able to be spoofed. I'm not sure I understand how this works, so please correct me if i'm wrong. Say you have a page with a single field and submit, if you set the cancel request parameter in the URL to true, does it mean that you can still submit user input? Then since the Action Form's validate() method is bypassed the user input would still go straight to the Action to carry out whatever business ops?
I also didn't really understand is that in later versions there was an attribute 'cancellable' which determines whether or not an action is allowed to be cancelled. If cancellable is set to true is it still possible to still spoof the parameter and enter user input to be carried out without validation? thx ~tam --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]