Xibin Liu wrote:
In tld of 2.0.11:<tag> <name>param</name> <tag-class>org.apache.struts2.views.jsp.ParamTag</tag-class> <body-content>JSP</body-content> <description><![CDATA[Parametrize other tags]]></description> <attribute> <name>name</name> <required>false</required> <rtexprvalue>false</rtexprvalue> <description><![CDATA[Name of Parameter to set]]></description> </attribute> In tld of 2.0.9: <tag> <name>param</name> <tag-class>org.apache.struts2.views.jsp.ParamTag</tag-class> <body-content>JSP</body-content> <description><![CDATA[Parametrize other tags]]></description> <attribute> <name>name</name> <required>false</required> <rtexprvalue>true</rtexprvalue> <description><![CDATA[Name of Parameter to set]]></description> </attribute> Is the change made this way intentionally? Jps pages working under 2.0.9 have to be changed before being imported to 2.0.11.
It's not very clearly called out in the release notes, but yes, this is an intentional change. The reason is that there is a security hole with rtexprvalue set to true. I can't find the relevant JIRA ticket off hand, but hopefully someone else will be able to supply that.
L. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
