Maybe it's related to that http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html
I've added some more restrictive rules regarding request's parameters names. Lot of special characters are disallowed, take a look on line 138 http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java?view=markup You can always declare yours own by declaring acceptParamNames for that interceptor. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ Kapituła Javarsovia 2010 http://javarsovia.pl --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org