What I can't believe is that an expression language that so directly interoperates with Java objects is processed from request parameters.
I can't conceive of the specific use-case that justified adding this, but it's so clearly a bad a idea that it doesn't appear bad only in hindsight. It appears bad in foresight.
"I'm going to accept and execute arbitrary expressions from clients, and these expressions can interact with arbitrary Java code, is that cool?"
As the person who made that decision some time ago[1] I can tell you that basically we didn't fully appreciate or understand all the features OGNL supported at the time.
As we realized it could, say, invoke static functions and execute extremely complex expressions, we realized the hole. Since then the team has been patching them piece by piece, but really OGNL should be thrown out and replaced with something that is far more limited in it's capabilities.
It's been a long time since I was an active contributor, but that'd be my recommendation if I was still hacking away on it.
