Craig McClanahan - 09/Aug/05 07:51 AM (In reply to comment #0) > In different tld files, different attributes are configured with > <rtexprvalue>false</rtexprvalue> > which prevents using EL in a JSP 2.0 Servlet Container. > > This is the case for instance in > - html: tag "javascript" attribute "dynamicJavascript" > - tiles: tag "insert" attribute "attribute" > - bean: tag "struts" attribute "id" > > I can't recognize any logic explaining why some attributes accept runtime > expressions and other don't. I think that all attributes should accept runtime > expression to allow EL use. I don't recall the particular provenance of these particular decisions, but the last one in particular reminds me of why we made a similar restriction in JSF 1.0 (you can't use an expression for the "id" property of a component). It turns out that allowing expressions for this case would allow a class of cross site scripting attacks that would make the application vulnerable. I can look up the details if need be, but they were compelling enough for the JSF expert group to set rtexprvalue to false on this attribute (as well as a couple of other sensitive ones).

Marc Guillemot - 09/Aug/05 08:59 AM In fact I had a problem only with the "attribute" attribute of tiles' insert tag but I have included example from the other taglibs for completeness.

Niall Pemberton - 06/Nov/05 04:49 AM Changing this to an enhancement.

Don Brown - 31/Mar/06 06:12 AM Ok, I added EL for the dynamicJavascript attribute [390327], but leaving the 'id' attribute for the reasons Craig mentioned. Bumping this ticket over to tiles...

Joe Germuska - 20/May/06 07:38 PM Is this still open? From Don's last comment, it sounds like maybe everything is resolved. In any case, it shouldn't be marked for a fix version (1.3.1) that is past, if it's still open, so moving fix version to 1.3.5. If someone else knows more about this issue, please speak up.

Niall Pemberton - 29/May/06 04:38 PM I've updated the JavascriptTag's "staticJavascript" attribute to allow runtime expressions (so that its consistent with the "dynamicJavascript" attribute) and modified the EL version of TLD for the Javascript tag to keep it in line with the standard one:    http://svn.apache.org/viewvc?view=rev&revision=410116 As far as "taglib" sub-project goes this issue is resolved as the only attributes where runtime expressions are not allowed are the id attributes (and the indexId attribute on the IterateTag). So what remains is to sort out tiles and there are quite a few attributes where runtime experessions are not allowed: insert (attribute, beanScope, flush) definition (scope) put (name, direct, type, beanScope) putList (name) add (value, direct, type, beanScope) get (flush) initComponentDefintion (file, className) useAttribute (className) importAttribute (scope) Since the tiles tags are more complicated than the standard ones it needs someone more familiar with tiles determine which attributes are appropriate to change.

Wendy Smoak - 29/May/06 05:24 PM Opened as SB-23 for Standalone Tiles since that's where active development is taking place. When that issue is resolved we can bring the changes over to Struts Tiles.

Wendy Smoak - 29/May/06 05:54 PM Resolving for 1.3.5, even though it's not completely fixed. See SB-23 for Standalone Tiles.