On 10/29/07, Manuel Correa <[EMAIL PROTECTED]> wrote:
> In S2.09 is possible to use EL in the properties tags. For example:
>
> <s:property value="${pageContext.request.contextPath}" />
>
> That because the parameter in tld is rtexprvalue="true"
>
> In S2.0.11 this is not possible (rtexprvalue="false"). I want to know
> is some property that active and un-active this parameter in the TLD. Or
> what is the best way to use EL in tags.
>
I believe that was done as a security precaution. Since each EL is
processed one after the other, it made it possible for some malicious
user of your system (with enough knowledge of the internals of your
system) to enter a value that the JSP EL would translate into naughty
OGNL that your system would happily translate, giving away all your
secrets.
What I've done in my tag library (that isn't quite finished yet) is to
set all the rtexprvalue's to false, but then check the value for
either the ${ } or %{ } EL variables and process the value through one
or the other, but never both, EL processors. It seems to be working
nicely, is very flexible and shouldn't have the same vulnerabilities
of the previous struts 2 tags.
(*Chris*)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
