2008/1/13, Jeromy Evans <[EMAIL PROTECTED]>: > I don't think this is a critical problem sheerly because the high > prevalence of such vulnerabilities means some of the responsibility > falls on the developer to not trust user-entered data..
This is not the case: I think it is a bug, since the url in <s:url> should be *parsed* before, extracting the eventual querystring and its parameters. It is a bug, since ganfab (sorry I cannot read your name :-) ) tried to use the <s:param> and it works. I don't know how <c:url> of JSTL works, but I firmly suppose that it parses the URL. Antonio --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
