on 5/17/01 6:46 AM, "Dennis Doubleday" <[EMAIL PROTECTED]> wrote:
> At 08:35 PM 5/16/01, Jon wrote:
>
>> Also, there is a reason for the #foreach...
>>
>> <http://jakarta.apache.org/velocity/ymtd/ymtd-hosting.html>
>
> Jon,
>
> I agree with most of your points. I am a new Velocity user and I am very
> impressed by its combination of power and simplicity. Reading/writing XSLT
> specs is an exercise in masochism.
>
> However, I don't see how Velocity is really avoiding the fundamental
> problem described in the document you referenced. If you are an ISP hosting
> Velocity-based pages, you are certainly going to have to let that 14 year
> old kid install both templates and class files; templates by themselves
> won't accomplish much. So the incompetent or malicious client can easily
> make the same mistake in his Command class that he would have made in the
> JSP page, and therefore also create a DOS attack on all servlets hosted in
> that JVM. No?
Controlling what goes into the Context is key.
There is nothing stating that you have to give the 14 year old access to
creating .java files. Instead, the alternative approach is to place certain
objects within the Context which allow the 14 year old to do a limited set
of actions. This follows along with the Pull Model:
<http://jakarta.apache.org/turbine/pullmodel.html>
This is the approach that Tea <http://opensource.go.com/> uses as well as
the general idea behind taglibs. The problem with taglibs is that there is
no restriction on the ability to put Java code in the page. It is part of
the JSP specification to be able to do that. Sure, you can disable it (as
Costin said), but then you are breaking the JSP specification. And I know
how important "standards" are to everyone...
-jon
--
If you come from a Perl or PHP background, JSP is a way to take
your pain to new levels. --Anonymous
<http://jakarta.apache.org/velocity/ymtd/ymtd.html>
