This commit disables support for evaluating SpEL expressions from
untrusted sources by default. Specifically, this applies to the
SpEL-based 'selector' header support in WebSocket messaging, which
includes the DefaultSubscriptionRegistry and the classes used to
configure the 'selector' header name (SimpleBrokerMessageHandler and
SimpleBrokerRegistration).
The selector header support remains in place but will have to be
explicitly enabled beginning with Spring Framework 6.1.
For example, a custom implementation of WebSocketMessageBrokerConfigurer
can override the configureMessageBroker() method and configure the
selector header name as follows.
registry.enableSimpleBroker().setSelectorHeaderName("selector");
Closes gh-30550
Spring Framework

This is the home of the Spring Framework: the foundation for all Spring projects. Collectively the Spring Framework and the family of Spring projects are often referred to simply as "Spring".
Spring provides everything required beyond the Java programming language for creating enterprise applications for a wide range of scenarios and architectures. Please read the Overview section as reference for a more complete introduction.
Code of Conduct
This project is governed by the Spring Code of Conduct. By participating, you are expected to uphold this code of conduct. Please report unacceptable behavior to spring-code-of-conduct@pivotal.io.
Access to Binaries
For access to artifacts or a distribution zip, see the Spring Framework Artifacts wiki page.
Documentation
The Spring Framework maintains reference documentation (published and source), GitHub wiki pages, and an API reference. There are also guides and tutorials across Spring projects.
Micro-Benchmarks
See the Micro-Benchmarks wiki page.
Build from Source
See the Build from Source wiki page and the CONTRIBUTING.md file.
Continuous Integration Builds
Information regarding CI builds can be found in the Spring Framework Concourse pipeline documentation.
Stay in Touch
Follow @SpringCentral, @SpringFramework, and its team members on Twitter. In-depth articles can be found at The Spring Blog, and releases are announced via our releases feed.
License
The Spring Framework is released under version 2.0 of the Apache License.