On 20-02-07 17 h 44, Nathan Bubna wrote:
As for setClass(Class cls), couldn't we just change it to:

public void setClass(String classname) {

Seems like that would keep the class="org.com.Foo" config syntax working
and avoid the security issue, right?

Nah, because what happens is that the "class" property is filtered beforehand by beanutils introspector.

What I did is provide the xml digester with a alias, mapping "class" towards "classname".

I'm gonna push your suggestion also, though, as it might help for other configuration methods when running under a security manager.

To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

Reply via email to