Hello, Many developers use tag <html:cancel/> to perform action without validation (and for other reasons). It's usefull but it can be danger because of security. If we don't serve cancel button in every Action or BaseAction then it's possible to perform some actions without validation. How? It's very simple. Just putting parameter in url org.apache.struts.taglib.html.CANCEL=1 or adding form element <input type="hidden" name="org.apache.struts.taglib.html.CANCEL" value="1">.
I've tried this trick in many sites written in Struts. I advise to remember about this problem if we don't have a validation in business layer. -- Przemyslaw Lupinski --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
