Andrea Vettori wrote:
That's true but should't the app do some input checking ?
What you're suggesting is that we make this framework vulnerable to poorly written applications? I'd say the framework should be written so that even poorly written applications can't compromise it.
It's the same as SQL injection...
In fact, it's OGNL injection, and the way to avoid it is not to evaluate user provided strings as OGNL expressions. Turning off EL is part of how that's been accomplished.
-Dale --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
