Andrea Vettori wrote:
Already posted on user list but maybe more appropriate here...
Hi,
It's long time I was away from this list.
I've found with big surprise that JSP EL is not available in S2 tags
anymore. I've looked at the release notes and found it was because of a
security problem similar to one I've discovered some time ago.
What I haven't understand is :
If in the JSP EL I use ONLY page variables into S2 tags (that is don't use
request variables) do the problem still exist ?
I doubt it because the issue is a user passing in a request parameter
that contains an OGNL expression (from what I understand). However, I
think this and many other things warrant a full discussion of OGNL, JSP
EL, the Unified EL and figuring out how to reduce the difficulty for
users getting into S2 and for making everything more consistent overall.
One of the big items is that a mixture of EL and OGNL is somewhat
painful and confusing. With this change it also makes upgrading older
applications very difficult. In addition, use of many expression
languages makes maintenance more difficult when the page uses many JSP
taglibs in addition to the S2 taglibs.
Thoughts?
-bp
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
