(sorry for the response lag, unfortunatly I don't read tomcat very
frequently)
Hi Jon.
> The problem with taglibs is that there is no restriction on the
> ability to put Java code in the page. It is part of the JSP
> specification to be able to do that. Sure, you can disable it (as
> Costin said), but then you are breaking the JSP specification. And
> I know how important "standards" are to everyone...
>
> -jon
I didn't see any follow-up clarifying this but apologies if I missed it.
JSP 1.2 has the notion of a TagLibraryValidator that is associated with
a tag library. This can be used to portably validate different
assertions on your JSP page. This could be used to, for example, check
that some actions are nested within others, or that some portions of
your JSP page conform in one way or another.
A TagLibraryValidator can also be used to disable scriptlets.
===
On some of the other points in this thread:
* Using XSTL for templating...
Like Jon and some others, I think that XSTL is a bit too complicated
(and memory expensive) to be my favorite templating mechanism. But it
is a widely used as a transformation mechanism. Some thoughts on the
role of XML, JSP & XSLT at
http://java.sun.com/products/jsp/html/JSPXML.html
* XML in Jasper...
The JSP expert group has considered for a while adding a portable
mechanism for transformations on a JSP page. Such a transformation
would be defined as operating on the XML reprsetnation of a JSP page.
I expect we will discuss again this feature for JSP 1.3, although there
are no specific dates for that yet.
IMHO,
- eduard/o
Jon Stevens wrote:
>
> on 5/17/01 6:46 AM, "Dennis Doubleday" <[EMAIL PROTECTED]> wrote:
>
> > At 08:35 PM 5/16/01, Jon wrote:
> >
> >> Also, there is a reason for the #foreach...
> >>
> >> <http://jakarta.apache.org/velocity/ymtd/ymtd-hosting.html>
> >
> > Jon,
> >
> > I agree with most of your points. I am a new Velocity user and I am very
> > impressed by its combination of power and simplicity. Reading/writing XSLT
> > specs is an exercise in masochism.
> >
> > However, I don't see how Velocity is really avoiding the fundamental
> > problem described in the document you referenced. If you are an ISP hosting
> > Velocity-based pages, you are certainly going to have to let that 14 year
> > old kid install both templates and class files; templates by themselves
> > won't accomplish much. So the incompetent or malicious client can easily
> > make the same mistake in his Command class that he would have made in the
> > JSP page, and therefore also create a DOS attack on all servlets hosted in
> > that JVM. No?
>
> Controlling what goes into the Context is key.
>
> There is nothing stating that you have to give the 14 year old access to
> creating .java files. Instead, the alternative approach is to place certain
> objects within the Context which allow the 14 year old to do a limited set
> of actions. This follows along with the Pull Model:
>
> <http://jakarta.apache.org/turbine/pullmodel.html>
>
> This is the approach that Tea <http://opensource.go.com/> uses as well as
> the general idea behind taglibs. The problem with taglibs is that there is
> no restriction on the ability to put Java code in the page. It is part of
> the JSP specification to be able to do that. Sure, you can disable it (as
> Costin said), but then you are breaking the JSP specification. And I know
> how important "standards" are to everyone...
>
> -jon
>
> --
> If you come from a Perl or PHP background, JSP is a way to take
> your pain to new levels. --Anonymous
> <http://jakarta.apache.org/velocity/ymtd/ymtd.html>
