On Thu, Mar 6, 2008 at 8:43 AM, Andrea Vettori <[EMAIL PROTECTED]> wrote:
> My point is that there are many jsp tag libraries out there. For
> example, I've developed and I'm mantaining four big ecommerce sites
> with struts2 and some taglibs. But I'm using 2.0.8 since in many jsp
> pages I've used EL in struts tags.
> I think that bad practice is using request variables into EL
> expression not the generic use of EL expression into s2 tags.
>
> Personally I have never used OGNL expression inside my jsps apart of
> some simple %{variable}. I think it's cleaner using jsp tags and
> variables because the page is more readable even to page designers.
> For example,
>
>
> > <s:hidden name="anotherProperty" value="%
> > {anotherResult.dosomething()}"/>
>
> if anotherResult is an object with many methods, some of which are not
> designed to be called from jsp pages why should I have to expose the
> object and potentially all its method instead of use
>
> <mytag:myobjectdosomething var="result"/>
> <s:hidden name="anotherProperty" value="${result}"/>
>
> Ok it's two lines instead of one and you have to implement the tag.
> But I think it's cleaner, less dangerous that exposing all the object
> methods and understandable by not expert page designers...
>
> Finally I think that removing EL expression from s2 tags because if
> used in the bad way they can be dangerous it's like not sell cars
> anymore since you can kill someone if drived in the bad way...
>
> Hope this can contribute to the discussion to have ELs back... :)
>
>
I completely agree, and I think there's a "safe and sane" way of
bringing EL expressions back that doesn't hurt security.
I have developed a set of tags that take either (not both) JSTL EL
expressions or OGNL expressions in their attributes. It's fairly
easy, you set the tags not to accept EL in the TLD so the full
expression is passed to the tag then you check for ${ and, if found,
process the attribute using the JSTL EL processor, otherwise process
the attribute with the OGNL processor.
There shouldn't be a way to game the system into playing one EL
against the other in this situation.
Unfortunately I don't have the intimate knowledge of the internals of
the Struts tag library, nor do I understand all the intricacies of
supporting every rendering engine known to man, plus, like everyone
else here, my time is limited or I would definitely be willing to do
the work myself. But, if anyone is interested in seeing how I
implemented the solution I'm more than willing to share.
(*Chris*)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
