Hi, sorry to be here a devils advocate...
People like velocity because it allows securer page design that JSP. Since velocity is so simple but powerfull it is not as secure as some would like it. I attached an example template to demonstrate the security attack. Velocity does not allow: * accessing fields of a class * calling methods of something that is not a class instance But it allows you to get the class and its classloader, thus one can create instances of whatever is loadable and instantiable. Still you cannot do something like System.exit() since one cannot get hold of an instance of the System.class (there is no constructor!). PROPOSAL: I propose adding another configuration parameter and add a check on this in the introspector to avoid calling any methods if the object to be introspected is an instance of a classloader. -- :) Christoph Reck
securityTest.vm
Description: Binary data
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
