Andrea Vettori wrote:
can someone explain why it's bad practice to do something like this in a
jsp page :
sometaglib:sometag var=result/
s:hidden name=property value=${result}”/
Because the value of ${result} will then be evaluated as an OGNL expression.
So let's say this sometaglib:sometag
That's true but should't the app do some input checking ?
It's the same as SQL injection...
Il giorno 06/mar/08, alle ore 18:37, Dale Newfield ha scritto:
Andrea Vettori wrote:
can someone explain why it's bad practice to do something like this
in a jsp page :
sometaglib:sometag
On Thu, Mar 6, 2008 at 9:37 AM, Dale Newfield [EMAIL PROTECTED] wrote:
Andrea Vettori wrote:
can someone explain why it's bad practice to do something like this in a
jsp page :
sometaglib:sometag var=result/
s:hidden name=property value=${result}/
Because the value of ${result}
Chris Pratt wrote:
Only if we allow the container to process the JSTL EL. If we turn the
container off and process the JSTL EL inside of the Struts tag
library, the security hole vanishes.
Right--if you replace OGNL with EL in struts, the security issues that
come from executing both go
Andrea Vettori wrote:
That's true but should't the app do some input checking ?
What you're suggesting is that we make this framework vulnerable to
poorly written applications? I'd say the framework should be written so
that even poorly written applications can't compromise it.
It's the
--- Chris Pratt [EMAIL PROTECTED] wrote:
Only if we allow the container to process the JSTL EL. If we turn the
container off and process the JSTL EL inside of the Struts tag
library, the security hole vanishes.
So does my ability to use ${narnar} inside a JSP page, no? That's not
something
Il giorno 06/mar/08, alle ore 19:04, Dale Newfield ha scritto:
Andrea Vettori wrote:
That's true but should't the app do some input checking ?
What you're suggesting is that we make this framework vulnerable to
poorly written applications? I'd say the framework should be
written so
Sorry if I come up now, but there is an effort to create a EL plugin
for Struts 2.1.x:
http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin/
http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin-example/
If you want EL support back, please contribute to this
thanks I'll check it...
Il giorno 06/mar/08, alle ore 19:49, Antonio Petrelli ha scritto:
Sorry if I come up now, but there is an effort to create a EL plugin
for Struts 2.1.x:
http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin/
That's what I wass looking for!!!
:-)
Felipe
Antonio Petrelli-3 wrote:
Sorry if I come up now, but there is an effort to create a EL plugin
for Struts 2.1.x:
http://svn.apache.org/repos/asf/struts/sandbox/trunk/struts2-uel-plugin/
On Thu, Mar 6, 2008 at 10:25 AM, Dave Newton [EMAIL PROTECTED] wrote:
--- Chris Pratt [EMAIL PROTECTED] wrote:
Only if we allow the container to process the JSTL EL. If we turn the
container off and process the JSTL EL inside of the Struts tag
library, the security hole vanishes.
So
--- Chris Pratt [EMAIL PROTECTED] wrote:
today). My proposed change would be at the point where the attribute
is evaluated (I have no idea where that happens within the struts
component framework). Before processing the attribute it should first
be checked to see if it contains JSTL EL tags
On Thu, Mar 6, 2008 at 4:27 PM, Dave Newton [EMAIL PROTECTED] wrote:
--- Chris Pratt [EMAIL PROTECTED] wrote:
today). My proposed change would be at the point where the attribute
is evaluated (I have no idea where that happens within the struts
component framework). Before processing
--- Chris Pratt [EMAIL PROTECTED] wrote:
* The struts tag first parses the attribute looking for ${, if it is
found it uses the JSP EL API to evaluate the value for the attribute.
If it is not found, it is assumed to be OGNL and processed just like
today.
Oh, gotcha. Re-meh.
Dave
Chris Pratt wrote:
The proposed flow (with rtexprvaluefalse/rtexprvalue):
The bit you're missing is that if you have a tag attribute with
rtexprvalue set to false that contains what the container thinks is an
EL expression (i.e., ${foo}), the jsp compilation will fail, so it
will never
Dale Newfield wrote:
Chris Pratt wrote:
The proposed flow (with rtexprvaluefalse/rtexprvalue):
The bit you're missing is that if you have a tag attribute with
rtexprvalue set to false that contains what the container thinks is an
EL expression (i.e., ${foo}), the jsp compilation will fail,
On Thu, Mar 6, 2008 at 4:59 PM, Dale Newfield [EMAIL PROTECTED] wrote:
Chris Pratt wrote:
The proposed flow (with rtexprvaluefalse/rtexprvalue):
The bit you're missing is that if you have a tag attribute with
rtexprvalue set to false that contains what the container thinks is an
EL
Chris Pratt wrote:
I don't know about other containers, but this works great on Resin. I
do it today.
Glad to learn I'm wrong! So the plugable EL version of the struts tags
should all be able to work with the same .tld, with rtexprvalue set to
false everywhere, and the tag attributes that
18 matches
Mail list logo
