on 5/18/01 3:40 PM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:
> The key point is that you have to disable any user code in order to have
> this to work. Only applications that do not use any user code ( beans,
> servlets, utils ) will work.
>
> Same is true for almost any templating system ( including JSP ) - if you
> restrict the user ( and refuse to run any "real" code ) - you'll be
> protected against DOS.
>
> For JSP, it would mean that users are not allowed to use their own
> taglibs, or <% java %> in page, or servlets, or beans - only a
> <foreach> tag and few other trusted tags.
Correct, however some bright monkey decided to add <% %> into the JSP
specification. So, if you disable that, you are breaking the specification.
In other words, it is a bad design in the first place. That is the point.
> Same is true for turbine ( with
> an different syntax ).
You mean Velocity. Turbine is just a framework.
> You don't need to do anything in jasper for that - just write a simple
> program to scan the webapplication and reject any app that has any java
> code or any "unauthorized" tag before running it. And refuse to run any
> other application. ( and find people to use your service :-)
YUCKY! That sounds so lame it is silly. Why should someone spend time and
effort creating what amounts to a complete hack to secure their
applications?
JSP is a bad design because it was cloned from an already bad design...ASP.
-jon
