2014-05-23 10:28 GMT+02:00 Lukasz Lenart <lukaszlen...@apache.org>: > 2014-05-23 10:19 GMT+02:00 Christoph Nenning <christoph.nenn...@lex-com.net>: >> what about these ? >> >> - javax.* > > +1 > >> - org.apache.struts2.* >> - com.opensymphony.xwork2.* > > won't work: #session, #request, #parameters, etc > > http://struts.apache.org/release/2.3.x/docs/ognl.html
And Ognl is used to set parameters on interceptors (like <param name="excludeParams">...</param>) > >> At least in my applications I didn't ever need to call anything from >> libraries, just code of the application itself. >> >> From that point of view we could even exclude the following. But that >> might be too specific as default in struts: >> - java.* >> - org.* >> - net.* (e.g. libraries hosted on source forge) >> - com.google.* > > A bit too wide, but we can try - User can always use a different set > of patterns :-) Too broad... maybe add white-listening but how to discover user's classes ? Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
