Struts 2 security report S2-014 strongly recommends upgrading Struts to 2.3.14.2, but in our project current Struts 2.3.4.1 is difficult to upgrade. Our project member verified the problem of S2-014 and found -- when the includeParams="all" or "get" were not specified in s:url and s:a tag, no malfunctioning behavior were seen. I'd like to ask a question. As in our JSP application url/a tag neither includeParams="all" nor includeParams="get" is specified, we'd like to avoid upgrading Struts this time. Does this decision have a problem? Regards Shohji Mikami
--------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
