|
In fact I had a problem only with the "attribute" attribute of tiles' insert tag
but I have included example from the other taglibs for completeness. Changing this to an enhancement.
Don Brown made changes - 23/Apr/06 04:50 AM
Is this still open? From Don's last comment, it sounds like maybe everything is resolved. In any case, it shouldn't be marked for a fix version (1.3.1) that is past, if it's still open, so moving fix version to 1.3.5. If someone else knows more about this issue, please speak up.
Joe Germuska made changes - 21/May/06 02:38 AM
I've updated the JavascriptTag's "staticJavascript" attribute to allow runtime expressions (so that its consistent with the "dynamicJavascript" attribute) and modified the EL version of TLD for the Javascript tag to keep it in line with the standard one:
http://svn.apache.org/viewvc?view=rev&revision=410116 As far as "taglib" sub-project goes this issue is resolved as the only attributes where runtime expressions are not allowed are the id attributes (and the indexId attribute on the IterateTag). So what remains is to sort out tiles and there are quite a few attributes where runtime experessions are not allowed: insert (attribute, beanScope, flush) definition (scope) put (name, direct, type, beanScope) putList (name) add (value, direct, type, beanScope) get (flush) initComponentDefintion (file, className) useAttribute (className) importAttribute (scope) Since the tiles tags are more complicated than the standard ones it needs someone more familiar with tiles determine which attributes are appropriate to change. Opened as SB-23 for Standalone Tiles since that's where active development is taking place. When that issue is resolved we can bring the changes over to Struts Tiles.
Wendy Smoak made changes - 30/May/06 12:47 AM
Resolving for 1.3.5, even though it's not completely fixed. See SB-23 for Standalone Tiles.
Wendy Smoak made changes - 30/May/06 12:54 AM
Paul Benedict made changes - 04/Jul/07 03:25 AM
Jeff Turner made changes - 01/Feb/10 01:03 AM
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Improvement
Closed
Minor
Attributes with <rtexprvalue>false</rtexprvalue> in TLD prevent EL evaluation
> In different tld files, different attributes are configured with
> <rtexprvalue>false</rtexprvalue>
> which prevents using EL in a JSP 2.0 Servlet Container.
>
> This is the case for instance in
> - html: tag "javascript" attribute "dynamicJavascript"
> - tiles: tag "insert" attribute "attribute"
> - bean: tag "struts" attribute "id"
>
> I can't recognize any logic explaining why some attributes accept runtime
> expressions and other don't. I think that all attributes should accept runtime
> expression to allow EL use.
I don't recall the particular provenance of these particular decisions, but the
last one in particular reminds me of why we made a similar restriction in JSF
1.0 (you can't use an expression for the "id" property of a component). It
turns out that allowing expressions for this case would allow a class of cross
site scripting attacks that would make the application vulnerable. I can look
up the details if need be, but they were compelling enough for the JSF expert
group to set rtexprvalue to false on this attribute (as well as a couple of
other sensitive ones).