click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "florin.g" <>
Subject Re: 2.0.1 Roadmap
Date Wed, 25 Feb 2009 01:41:17 GMT


To me (as a hobbyist), Click offers pretty much all I need. I probably use a
subset anyways. 

However, convenience is one of the most powerful things in life as well as
programming. I would add lots of good thing in the extra package that would
really add value to the programmer's day to day life. Simplicity of
framework plus convenience, yep, I'd go for it.


sabob wrote:
> florin.g wrote:
>> - Built in security (cross site, sql injection, etc.) 
> I think SQL injection is better handled by the DB layer e.g. an ORM or 
> PreparedStatement.
> As for XSS attacks Click controls provides some protection by escaping 
> their values before rendering. However XSS will still be possible 
> through Velocity variables unless they are escaped using 
> Format#html(String):
> $format.html($msg)
> Velocity also provides a property to escape all variables or 
> optionally to escape only variables matching a certain expression.
> Still the best way is probably through an XSSFilter which ensures all 
> HTML entities are escaped. Is this what you had in mind or something else?
> kind regards
> bob

View this message in context:
Sent from the click-development mailing list archive at

View raw message