Michael Coates wrote:
It seems to me that the method used to request parameters from an
included jsp file should not "fail over" to the URL if the jsp:include
does not provide the parameter.
IMO that's incorrect assumption, that one can skip security
consideration when using JPS's in 'safe way' (because there're in
WEB-INF folder, in this case). It can be reused e.g. by include page
directive.
Developer should never trust any values passed via request parameter.
Period.
--
Mikolaj Rydzewski <m...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
