The XWork ParametersInterceptor is a security nightmare as it gives user input (submitted form parameters) unfettered access to getter/setter methods on action objects. In addition, the interceptor has been shown in the past to be vulnerable to Unicode attacks.
Rather than fight a constant (and often losing) battle to prevent actions from leaking important classes, we should rewrite the parameters interceptor to obey the following rules:
*Parameter keys will be ignored if they contain characters other than A-Za-z0-9, periods and square brackets.
*Where a parameter is reading a property using dot notation (i.e. ?searchBean.query=blah), the getter method for that property must have the @ActionSafeParameter annotation