Yep, I did mean invoke any public method for any object in context. So do as somebody already said - pass immutable objects to prevent malicious actions from custom template e.g. it isn't a good decision to pass 'alive' business object as is to Velocity context.
On 31 March 2010 05:25, ChadDavis <chadmichaelda...@gmail.com> wrote: > On Tue, Mar 30, 2010 at 4:22 PM, Treague, Keith > <keith.trea...@merrillcorp.com> wrote: > > Can you please elaborate how? > > > > I don't think he means arbitrary exactly, but the Velocity Template > Language allows you to invoke methods, like myObect.myMethod(). So, > any object in the velocity context is subject to any of it's public > methods being invoked. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org > For additional commands, e-mail: user-h...@velocity.apache.org > > -- Regards, Alexander
