I also agree that JSP EL should be enabled by default. Having to create a
seperate tld just to use EL in tag attributes isn't very maintainable if the
taglib changes.
Could this be solved by creating 2 versions of the tld? I know other taglibs
have such things as "taglibname" and "taglibname-el" for their uri's.
> From: [EMAIL PROTECTED]> To: dev@struts.apache.org> Subject: Re: JSP EL in
struts2 tags> Date: Fri, 30 Nov 2007 17:40:42 +0100> > > Il giorno 30/nov/07,
alle ore 17:22, Brian Pontarelli ha scritto:> > > Andrea Vettori wrote:> >>
Already posted on user list but maybe more appropriate here...> >>> >>> >> Hi,>
>>> >> It's long time I was away from this list.> >>> >> I've found with big
surprise that JSP EL is not available in S2 tags> >> anymore. I've looked at
the release notes and found it was because > >> of a> >> security problem
similar to one I've discovered some time ago.> >>> >> What I haven't understand
is :> >>> >> If in the JSP EL I use ONLY page variables into S2 tags (that is >
>> don't use> >> request variables) do the problem still exist ?> >>> > I doubt
it because the issue is a user passing in a request > > parameter that contains
an OGNL expression (from what I understand). > > However, I think this and many
other things warrant a full > > discussion of OGNL, JSP EL, the Unified EL and
figuring out how to > > reduce the difficulty for users getting into S2 and for
making > > everything more consistent overall. One of the big items is that a >
> mixture of EL and OGNL is somewhat painful and confusing. With this > >
change it also makes upgrading older applications very difficult. In > >
addition, use of many expression languages makes maintenance more > > difficult
when the page uses many JSP taglibs in addition to the S2 > > taglibs.> > > >
It seems to me that if the problem is triggered only when using a > request
parameter inside EL than EL should be on by default on s2 tags > because using
request parameters that way is bad practice (should'nt > we use actions
getters/setters and than call a jsp view?)> > I also think that this mixture of
OGNL and EL is confusing and if I > must choose to have only one I'll choose EL
that's a standard and is > supported on many other taglibs.> > > --> Ing.
Andrea Vettori> Consulente per l'Information Technology> > > >
---------------------------------------------------------------------> To
unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL
PROTECTED]>
_________________________________________________________________
Introducing the City @ Live! Take a tour!
http://getyourliveid.ca/?icid=LIVEIDENCA006
