Author: bphillips
Date: Mon Jul 29 14:07:56 2013
New Revision: 1508075
URL: http://svn.apache.org/r1508075
Log:
Added the same warning that appears in the ParametersInterceptor about using
ParameterNameAware to the JavaDoc for this interface
Modified:
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParameterNameAware.java
Modified:
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParameterNameAware.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParameterNameAware.java?rev=1508075&r1=1508074&r2=1508075&view=diff
==============================================================================
---
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParameterNameAware.java
(original)
+++
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParameterNameAware.java
Mon Jul 29 14:07:56 2013
@@ -22,6 +22,13 @@ package com.opensymphony.xwork2.intercep
* ParametersInterceptor}. For example, actions may want to create a whitelist
of parameters they will accept or a
* blacklist of paramters they will reject to prevent clients from setting
other unexpected (and possibly dangerous)
* parameters.
+ *
+ * Using {@link ParameterNameAware} could be dangerous as {@link
ParameterNameAware#acceptableParameterName(String)} takes precedence
+ * over {@link ParametersInterceptor} which means if ParametersInterceptor
excluded given parameter name you can accept it with
+ * {@link ParameterNameAware#acceptableParameterName(String)}.
+ *
+ * The best idea is to define very tight restrictions with
ParametersInterceptor and relax them per action with
+ * {@link ParameterNameAware#acceptableParameterName(String)}
*
* <!-- END SNIPPET: javadoc -->
*
