The Wiki page http://wiki.apache.org/velocity/BuildingSecureWebApplications
has some good advice: "It's good practice to configure a Java Security Manager to restrict access to files (outside of the web tree and template paths) and dangerous methods such as System.exit() and getClassLoader. " On 31/03/2010, Alexander Krasnukhin <[email protected]> wrote: > Yep, I did mean invoke any public method for any object in context. So do as > somebody already said - pass immutable objects to prevent malicious actions > from custom template e.g. it isn't a good decision to pass 'alive' business > object as is to Velocity context. > > > On 31 March 2010 05:25, ChadDavis <[email protected]> wrote: > > > On Tue, Mar 30, 2010 at 4:22 PM, Treague, Keith > > <[email protected]> wrote: > > > Can you please elaborate how? > > > > > > > I don't think he means arbitrary exactly, but the Velocity Template > > Language allows you to invoke methods, like myObect.myMethod(). So, > > any object in the velocity context is subject to any of it's public > > methods being invoked. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > > > -- > Regards, > > Alexander > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
