Another issue, a more stylistic one, is that using methods like this is barely better than scriptlets. Some would argue that this type of work belongs on the server side, especially if you're working with non-programming designers (although some can be trained to use a set of well-defined static methods once they have the syntax).
d. --- Dale Newfield <[EMAIL PROTECTED]> wrote: > chengas123 wrote: > > Ahh, yes, that was my problem. I'm afraid I > wasn't expecting that. I don't > > really see how allowing static method access > presents a security problem. I > > am opening myself up to any obvious risks by > turning this on? > > If someone submits a value in a form that you mirror > back to them in a > place that might be evaluated by ognl, then > "@[EMAIL PROTECTED](-1)" would be > a pretty evil risk, no? I'm pretty certain that the > most recent xwork > .jar prevents ognl evaluation while setting > parameters from the request, > so the path that string must take to be destructive > is now much more > convoluted. > > -Dale > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]