Il giorno 30/nov/07, alle ore 17:22, Brian Pontarelli ha scritto:
Andrea Vettori wrote:
Already posted on user list but maybe more appropriate here...
Hi,
It's long time I was away from this list.
I've found with big surprise that JSP EL is not available in S2 tags
anymore. I've looked at the release notes and found it was because
of a
security problem similar to one I've discovered some time ago.
What I haven't understand is :
If in the JSP EL I use ONLY page variables into S2 tags (that is
don't use
request variables) do the problem still exist ?
I doubt it because the issue is a user passing in a request
parameter that contains an OGNL expression (from what I understand).
However, I think this and many other things warrant a full
discussion of OGNL, JSP EL, the Unified EL and figuring out how to
reduce the difficulty for users getting into S2 and for making
everything more consistent overall. One of the big items is that a
mixture of EL and OGNL is somewhat painful and confusing. With this
change it also makes upgrading older applications very difficult. In
addition, use of many expression languages makes maintenance more
difficult when the page uses many JSP taglibs in addition to the S2
taglibs.
It seems to me that if the problem is triggered only when using a
request parameter inside EL than EL should be on by default on s2 tags
because using request parameters that way is bad practice (should'nt
we use actions getters/setters and than call a jsp view?)
I also think that this mixture of OGNL and EL is confusing and if I
must choose to have only one I'll choose EL that's a standard and is
supported on many other taglibs.
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
