@Weng said:
are you honestly THAT FUCKING DENSE?
<bean:write name="orderBy"/>
will be replaced, BEFORE THE HTML IS EVER SENT FROM THE SERVER TO THE CLIENT, with something like 'ORDER BY penisSize'
It is NEVER transmitted to the browser and is thus NEVER returned as a form submission item. If you have ever developed for the web in any language, you have NO EXCUSE for not understanding this concept.
The contents of the hidden input field is returned though and there can be no other reason for this than to build the query when it gets passed back, due to the inherent sessionless nature of html.
Especially concerning is the queryType field. I would have no doubt that, even escaped, someone could do damage with this if they wanted.