As someone mentioned, do we want to bundle both under different URIs? We could keep the paranoid/safe one as the default, and use a URI like struts-tags-rt for the one that allows all runtime expressions. To use the other, we can change one line at the top of the file to "opt in".
-Ted. On Dec 3, 2007 2:48 AM, Don Brown <[EMAIL PROTECTED]> wrote: > On 12/3/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote: > > I'm happy to know that a complete solution is being planned/developed. > > I just say that if the security problem is caused only by bad > > programming practice, removing EL evaluation into S2 tld is causing > > upgrading problems to many well-written applications. > > It isn't so much bad programming practices as unintentionally opening > your application up to abuse. If you are confident that your > application isn't vulnerable, feel free to replace the struts-tags.tld > in the struts jar with one that allows expressions. The 10 minutes > that will take will probably save you tons of time. > > Don --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
