Ing. Andrea Vettori on 30/11/07 16:40, wrote:
Il giorno 30/nov/07, alle ore 17:22, Brian Pontarelli ha scritto:
Andrea Vettori wrote:
Already posted on user list but maybe more appropriate here...
It's long time I was away from this list.
I've found with big surprise that JSP EL is not available in S2 tags
anymore. I've looked at the release notes and found it was because of a
security problem similar to one I've discovered some time ago.
What I haven't understand is :
If in the JSP EL I use ONLY page variables into S2 tags (that is
don't use
request variables) do the problem still exist ?
I doubt it because the issue is a user passing in a request parameter
that contains an OGNL expression (from what I understand). However, I
think this and many other things warrant a full discussion of OGNL,
JSP EL, the Unified EL and figuring out how to reduce the difficulty
for users getting into S2 and for making everything more consistent
overall. One of the big items is that a mixture of EL and OGNL is
somewhat painful and confusing. With this change it also makes
upgrading older applications very difficult. In addition, use of many
expression languages makes maintenance more difficult when the page
uses many JSP taglibs in addition to the S2 taglibs.
It seems to me that if the problem is triggered only when using a
request parameter inside EL than EL should be on by default on s2 tags
because using request parameters that way is bad practice (should'nt we
use actions getters/setters and than call a jsp view?)
I also think that this mixture of OGNL and EL is confusing and if I must
choose to have only one I'll choose EL that's a standard and is
supported on many other taglibs.
I thought I heard Ted say a month ago that Don was doing some refactoring in
XWork that would allow the script language to be pluggable.
I missed any further comments on the subject though so I don't know if it was
successful or still in the pipeline or what.
Regards
Adam
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]