Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove web-API based expression utility objects #886

Closed
danielfernandez opened this issue May 2, 2022 · 1 comment
Closed

Remove web-API based expression utility objects #886

danielfernandez opened this issue May 2, 2022 · 1 comment
Assignees
@danielfernandez
Labels
status:done
Milestone
Thymeleaf 3.1.0.M1

Comments

@danielfernandez
Copy link
Member

The #request, #response, #session and #servletContext expression utility objects should be removed from the Standard Dialect, both for security reasons (in order to avoid direct access to potentially unsafe properties such as request parameters) and also due to the fact that these are currently bound to the javax.* Servlet API, and generalising the web interfaces in the Thymeleaf core in order to support jakarta.* and other web technologies would not be compatible with these specific objects still being available.
@danielfernandez danielfernandez added this to the Thymeleaf 3.1.0.M1 milestone May 2, 2022
@danielfernandez danielfernandez self-assigned this May 2, 2022
@danielfernandez
Copy link
Member Author

Closed by means of ef4d87f.

@danielfernandez danielfernandez mentioned this issue May 2, 2022
Closed
danielfernandez added a commit that referenced this issue May 2, 2022
@danielfernandez
Fixed ChangeLog in order to explicitly include #886.
2a2f66a
@danielfernandez danielfernandez mentioned this issue May 2, 2022
Closed
@danielfernandez danielfernandez changed the title Remove web-API based expression security objects Remove web-API based expression utility objects Oct 9, 2022
@danielfernandez danielfernandez mentioned this issue Oct 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielfernandez danielfernandez

Labels
status:done
Projects
None yet
Milestone
Thymeleaf 3.1.0.M1
Development

No branches or pull requests
1 participant
@danielfernandez