This two examples you have given, from your web2py form and from pyjamas, are they functionally equivalent? If they are, please post the javascript for both pages too, so that we can really compare.
When you mention this secure tag in html5 or web2py 2.0, it seems to me that you are still going the wrong way about this issue. What would this "secure" tag actually do? If you want it to compile python to javascript, I think there is no point in using web2py at all, as there are other projects for that. And that wouldn't make your code any more secure anyway, just different. Or do you expect it to trigger a javascript that hides the html source...? Again, hiding something trivially from the user's view is *not* security and should never be considered as such. It takes seconds to get around this. Some of the basics of web development security are: - you cannot trust anything that comes from the user side, all data received should be validated - you should not send anything to user side that you don't want the user to see. If you really need to send such information as "issues_created_by" "sysadmin" trough the form, than you must expect that users will see them. If you are worried that someone will try to change this and it shouldn't, than there are two things you can do: - don't send this trough a form at all (why would you..?) - validate the information before committing into the db and make sure it's still correct. There are no shortcuts here, no magical "secure" tags that can make these requirements go away. You need to design your application accordingly, no matter what framework you use. On Monday, March 12, 2012 8:11:43 AM UTC+1, Rahul wrote: > > okay - Here are a few reasons - > > *@Anthony *- What exactly is it that you are trying to hide? Can you give > an example? > > Here is the example - > Please consider the below view page source (form when serialized) line > when I have filled up a form * using a database for my software BugBuster*in > this case - This is going to be a > * post *method - All the variables are shown filled in before the > "submit" is done actually. Now it could be very easy to pass wrong values > using some hacking techniques by malicious people (inshort hackers) and > send wrong information into the database. > > It is this kind of thing I need to prevent one from doing to my > application. Please don't get me wrong - I ain't any paranoid when it comes > to security. Its just that thing, that I need to make sure that my clients > feel secure when they are using my application in production (online). I > dont care if others are able to see parameters for trivial comments posting > or blogs there off but when it comes to enterprise level security, I think > we should provide such stuff or at least a way to conceal the information > being passed. > Even clients feel confident that such things are being taken care by the > software itself. I know validations can take care of this to some extent > but that would eventually be an overkill during post method. And we cannot > have it for each field anyways. > > *<form action="" enctype="multipart/form-data" method="post"> > <table><tr id="issues_ticket_no__row"><td class="w2p_fl"> > <label for="issues_ticket_no" id="issues_ticket_no__label"> > Ticket No: </label></td><td class="w2p_fw"><input class="string" > id="issues_ticket_no" name="ticket_no" type="text" > value="" /></td><td class="w2p_fc"></td></tr><tr id="issues_team__row"><td > class="w2p_fl"><label for="issues_team" > id="issues_team__label">Team: </label></td><td class="w2p_fw"><select > class="string" id="issues_team" name="team"> > <option value=""></option><option value="Base">Base</option><option > value="Assets Team">Assets Team</option> > <option value="Wealth Management">Wealth > Management</option></select></td><td class="w2p_fc"> > </td></tr><tr id="issues_date_today__row"><td class="w2p_fl"> > <label for="issues_date_today" id="issues_date_today__label">Date Today: > </label></td> > <td class="w2p_fw"><input class="date" id="issues_date_today" > name="date_today" type="text" value="2012-03-12" /> > </td><td class="w2p_fc"></td></tr><tr id="issues_category__row"><td > class="w2p_fl"> > <label for="issues_category" id="issues_category__label">Category: > </label></td><td class="w2p_fw"> > <select class="string" id="issues_category" name="category"><option > value=""> > </option><option value="Base System">Base System</option></select></td><td > class="w2p_fc"> > </td></tr><tr id="issues_sub_category__row"><td class="w2p_fl"> > <label for="issues_sub_category" id="issues_sub_category__label">Sub > Category: </label></td> > <td class="w2p_fw"><select class="string" id="issues_sub_category" > name="sub_category"><option value=""> > </option><option value="Contact Manager">Contact > Manager</option></select></td><td class="w2p_fc"></td> > </tr><tr id="issues_manager__row"><td class="w2p_fl"><label > for="issues_manager" id="issues_manager__label">Manager: > </label></td><td class="w2p_fw"><select class="string" id="issues_manager" > name="manager"><option value=""> > </option><option value="John Stiefeling">John > Stiefeling</option></select></td><td class="w2p_fc"></td> > </tr><tr id="issues_developer__row"><td class="w2p_fl"><label > for="issues_developer" id="issues_developer__label"> > Developer: </label></td><td class="w2p_fw"><select class="string" > id="issues_developer" name="developer"> > <option value=""></option><option value="Farzad">Farzad</option><option > value="Shantanu">Shantanu</option> > </select></td><td class="w2p_fc"></td></tr><tr id="issues_tester__row"><td > class="w2p_fl"> > <label for="issues_tester" id="issues_tester__label">Tester: > </label></td><td class="w2p_fw"> > <select class="string" id="issues_tester" name="tester"><option value=""> > </option><option value="Tanvi Potnis">TanviPotnis</option></select></td><td > class="w2p_fc"> > </td></tr><tr id="issues_severity__row"><td class="w2p_fl"><label > for="issues_severity" id="issues_severity__label"> > Severity: </label></td><td class="w2p_fw"><select class="string" > id="issues_severity" name="severity"> > <option value=""></option><option > value="Critical">Critical</option><option value="High">High</option> > <option value="Low">Low</option><option > value="Medium">Medium</option><option value="Trivial">Trivial</option> > </select></td><td class="w2p_fc"></td></tr><tr id="issues_status__row"><td > class="w2p_fl"> > <label for="issues_status" id="issues_status__label">Status: > </label></td><td class="w2p_fw"> > <select class="string" id="issues_status" name="status"><option > value=""></option><option value="AFF"> > AFF</option><option value="Acknowledged">Acknowledged</option><option > value="Approved">Approved > </option><option value="Closed">Closed</option><option value="Code > Review">Code Review</option> > <option value="Deferred">Deferred</option><option > value="Fixed">Fixed</option><option value="Open">Open > </option><option value="Other">Other</option><option > value="Pre-Approved">Pre-Approved</option> > <option value="Re-Opened">Re-Opened</option><option > value="Tested">Tested</option></select></td> > <td class="w2p_fc"></td></tr><tr id="issues_type__row"><td > class="w2p_fl"><label for="issues_type" > id="issues_type__label">Type: </label></td><td class="w2p_fw"><select > class="string" id="issues_type" name="type"> > <option value=""></option><option value="Generic">Generic</option><option > value="Schema Change">Schema Change</option> > </select></td><td class="w2p_fc"></td></tr><tr > id="issues_branches__row"><td class="w2p_fl"> > <label for="issues_branches" id="issues_branches__label">Branches: > </label></td><td class="w2p_fw"> > <select class="string" id="issues_branches" name="branches"><option > value=""></option><option value="Mainstream"> > Mainstream</option></select></td><td class="w2p_fc"></td></tr><tr > id="issues_modified_date__row"><td class="w2p_fl"> > <label for="issues_modified_date" > id="issues_modified_date__label">Modified Date: </label></td><td > class="w2p_fw"> > 2012-03-12</td><td class="w2p_fc"></td></tr><tr > id="issues_created_by__row"><td class="w2p_fl"> > <label for="issues_created_by" id="issues_created_by__label">Created By: > </label></td><td class="w2p_fw"> > sysadmin</td><td class="w2p_fc"></td></tr><tr > id="issues_workspace__row"><td class="w2p_fl"> > <label for="issues_workspace" id="issues_workspace__label">Workspace: > </label> > </td><td class="w2p_fw">Base</td><td class="w2p_fc"></td></tr><tr > id="issues_description__row"> > <td class="w2p_fl"><label for="issues_description" > id="issues_description__label">Description: </label> > </td><td class="w2p_fw"><textarea class="text" cols="40" > id="issues_description" name="description" rows="10"> > </textarea></td><td class="w2p_fc"></td></tr><tr > id="issues_checkin_details__row"><td class="w2p_fl"> > <label for="issues_checkin_details" > id="issues_checkin_details__label">Checkin Details: </label> > </td><td class="w2p_fw"><textarea class="text" cols="40" > id="issues_checkin_details" name="checkin_details" rows="10"> > </textarea></td><td class="w2p_fc"></td></tr><tr > id="issues_comments__row"><td class="w2p_fl"> > <label for="issues_comments" id="issues_comments__label">Comments: > </label></td><td class="w2p_fw"> > <textarea class="text" cols="40" id="issues_comments" name="comments" > rows="10"></textarea></td> > <td class="w2p_fc"></td></tr><tr id="issues_attach_file__row"><td > class="w2p_fl"> > <label for="issues_attach_file" id="issues_attach_file__label">Attach > File: </label></td><td class="w2p_fw"> > <input class="upload" id="issues_attach_file" name="attach_file" > type="file" /></td><td class="w2p_fc"></td> > </tr><tr id="submit_record__row"><td class="w2p_fl"></td><td > class="w2p_fw"><input type="submit" value="Save" /> > </td><td class="w2p_fc"></td></tr></table><div class="hidden"><input > name="_formkey" type="hidden" > value="f5f913dd-2c1d-4d56-85ac-2a4c0b7319f2" /><input name="_formname" > type="hidden" value="issues/create" /> > </div></form>* > > --> Also note here I am not exactly trying to lock "View page source" for > the end users, they may be able to do it as per default browsers > functionality but rather would see something very clean and no parameters > like below pyjamas example view serailized. > > *<html><!-- auto-generated html - you should consider editing and > adapting this to suit your requirements > --> > <head> > <meta name="pygwt:module" content="TimeSheet"> > <link rel='stylesheet' href='TimeSheet.css'> > <title>PyJamas Auto-Generated HTML file TimeSheet</title> > </head> > <body bgcolor="white"> > <script language="javascript" src="bootstrap.js"></script> > <iframe id='__pygwt_historyFrame' style='width:0;height:0;border:0'></iframe> > </body> > </html>* > > > --> The above line *<body content="secure"> </body>* is *just a thought* > some html tag could be defined or supported in HTML5 or above or *even > in may be web2py 2.0 *that would toggle secure page view and unsecure > page view ... > if secure is *True* - users would see some stuff very basic like above > pyjamas example when viewing page source > else as usual - normal view page source (what it shows currently) > > I hope I am clear this time and not causing confusions :) > Thanks, > > Sincerely, Rahul D (www.flockbird.com) > =================================== > > > On Sunday, March 11, 2012 5:54:23 AM UTC+5:30, pbreit wrote: >> >> Sliverlight works on all browsers as far as I know. But I still don't >> think it's a very smart platform to target for the vast majority of apps. > >
