Musachy Barroso wrote:
Should we continue to use OGNL for parameter binding? This creates so
many possible security holes, in exchange for pretty much nothing,
when parameter names should be simple (indexing + the old A.B.C
notation).
Are there any uses cases where the full OGNL power is needed, for
parameter binding?
musachy
I haven't seen any obstacles to a change like that. It would be nice if
we could reuse a param binding implementation with type-conversion from
somewhere else rather reinvent another.
It's a shame though; the current approach is logical if it wasn't so
open to clever exploits.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
