The Wiki page http://wiki.apache.org/velocity/BuildingSecureWebApplications
has some good advice: "It's good practice to configure a Java Security Manager to restrict access to files (outside of the web tree and template paths) and dangerous methods such as System.exit() and getClassLoader. " On 31/03/2010, Alexander Krasnukhin <the.malk...@gmail.com> wrote: > Yep, I did mean invoke any public method for any object in context. So do as > somebody already said - pass immutable objects to prevent malicious actions > from custom template e.g. it isn't a good decision to pass 'alive' business > object as is to Velocity context. > > > On 31 March 2010 05:25, ChadDavis <chadmichaelda...@gmail.com> wrote: > > > On Tue, Mar 30, 2010 at 4:22 PM, Treague, Keith > > <keith.trea...@merrillcorp.com> wrote: > > > Can you please elaborate how? > > > > > > > I don't think he means arbitrary exactly, but the Velocity Template > > Language allows you to invoke methods, like myObect.myMethod(). So, > > any object in the velocity context is subject to any of it's public > > methods being invoked. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org > > For additional commands, e-mail: user-h...@velocity.apache.org > > > > > > > > -- > Regards, > > Alexander > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org For additional commands, e-mail: user-h...@velocity.apache.org
