lukaszlenart commented on pull request #483: URL: https://github.com/apache/struts/pull/483#issuecomment-830781310
I have a large concern with using `*PatternsChecker`s here, they supposed to be used as a _border pass control_ - validating if [incoming parameters](https://struts.apache.org/security/#accepted--excluded-patterns) are allowed or not. Now they have been used internally to validate expression evaluation which can be hard to understand by users. Also there is no possibility to have more restrictive patterns on _enter_ (in interceptors) and looser patterns internally. Another thing is that those `*PatternsChecker`s are created per interceptor, the same will happen here, but having a large number of tags will consume a lot of memory instating new `*PatternsChecker`s per each tag. Having that said I would introduce a dedicated Pattern Checker instance specifically used in tags, with simple one pattern used to verify expression evaluation. It also has to be a Singleton to reduce memory consumption. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
