Chris Pratt wrote:
Only if we allow the container to process the JSTL EL. If we turn the container off and process the JSTL EL inside of the Struts tag library, the security hole vanishes.
Right--if you replace OGNL with EL in struts, the security issues that come from executing both go away. Saying that doesn't make the changes trivial. So if you would you like to help develop that, please read through the following page and post patches to the following xwork issue:
http://cwiki.apache.org/confluence/display/S2WIKI/OGNL+replacement http://jira.opensymphony.com/browse/XW-461 -Dale --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]