I do see Dale's point now about the security risk. I'd generally agree with Dave that using a static method is basically the same as a scriptlet. However, in this case I can't say it really belongs in my bean. It's really more of a formatting issue. I'd hate to have my bean have two getters for every variable: one to get it regularly and one to get the escaped version. Perhaps the property tag needs another attribute which would allow special JavaScript characters to be escaped?
-Ben newton.dave wrote: > > Another issue, a more stylistic one, is that using > methods like this is barely better than scriptlets. > Some would argue that this type of work belongs on the > server side, especially if you're working with > non-programming designers (although some can be > trained to use a set of well-defined static methods > once they have the syntax). > > d. > > --- Dale Newfield <[EMAIL PROTECTED]> wrote: > >> chengas123 wrote: >> Ahh, yes, that was my problem. I'm afraid I >> wasn't expecting that. I don't >> really see how allowing static method access >> presents a security problem. Am >> I opening myself up to any obvious risks by >> turning this on? >> >> If someone submits a value in a form that you mirror >> back to them in a >> place that might be evaluated by ognl, then >> "@[EMAIL PROTECTED](-1)" would be >> a pretty evil risk, no? I'm pretty certain that the >> most recent xwork >> .jar prevents ognl evaluation while setting >> parameters from the request, >> so the path that string must take to be destructive >> is now much more >> convoluted. >> >> -Dale >> > > -- View this message in context: http://www.nabble.com/Escaping-Characters-in-Struts-Property-Tag-tf4799846.html#a13752981 Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]