update list of restricted classes

velocity-engine-core/src/test/resources/oldproperties/velocity.properties

@@ -220,9 +220,13 @@ runtime.conversion.handler.class = org.apache.velocity.util.introspection.TypeCo
 # accessed.
 # ----------------------------------------------------------------------------
 
+# Prohibit reflection
 introspector.restrict.packages = java.lang.reflect
 
-## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
+# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
+
+# Restrict these system classes.  Note that anything in this list is matched exactly.
+# (Subclasses must be explicitly named to be included).
 
 introspector.restrict.classes = java.lang.Class
 introspector.restrict.classes = java.lang.Compiler
@@ -236,6 +240,12 @@ introspector.restrict.classes = java.lang.System
 introspector.restrict.classes = java.lang.ThreadGroup
 introspector.restrict.classes = java.lang.ThreadLocal
 
+# Restrict instance managers for common servlet containers  (Tomcat, JBoss, Jetty)
+
+introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
+introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
+introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory
+
 # ----------------------------------------------------------------------------
 # SPACE GOBBLING
 # ----------------------------------------------------------------------------