Apparently, GWT-RPC is vulnerable if you use "enhanced" classes: https://groups.google.com/d/msg/google-web-toolkit/j36D9-11JF4/OZwNQgvSAgAJ
Should we add a flag to GWT 2.8 disabling the special treatment of "enhanced classes" in GWT-RPC, generating serialization policies without @ClientFields at all? (this would possibly break applications, but at least you can be sure your application is safe) -- You received this message because you are subscribed to the Google Groups "GWT Contributors" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit-contributors/7f7dc488-110b-4e07-9195-ffa074da7cb0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
