cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Quinn <>
Subject Re: [announce] XMLForm - a new project using Xerces, Xalan, & JTidy
Date Tue, 22 Feb 2000 17:28:54 GMT
On 21/2/00 at 4:24 pm, (Donald Ball) wrote:

>I've been using cocoon for time out of mind to handle sending information
>out of my XML files as HTML over HTTP and it's fantastic. That's half of
>the work of a typical web design shop. The other half of the equation
>hasn't really been addressed to my satisfaction yet - I wanted a way to
>edit XML files through an HTML form interface.

This is marvelous!
I was particularly tickled by the use of XPath :)

>If you find this servlet useful, if you have any suggestions, or if you
>know of a similar project in Java that escaped my attention, please don't
>hesitate to contact me.

I have not had the chance to tryout or read the code ...

Can it create new files?

Sorry to say this, considering how much work you have already done, but could
this Form handling functionality be considered for inclusion into Cocoon?
If so, how should it interact with SiteMap, XSL and XSP?

>From the README file in the distribution.
> <input name="xmlform:virtual" value="/news.xml">
> <input name="xmlform:xpath" value="/articles/article[position()=last()]">

Is this not a bit of a security hole?
Anyone with the motivation, could "explore" your XML file structure (with
feedback from error messages) and add Nodes wherever they like; just by
modifying the Form. (In fact I have some students who might think of this as fun

If this was built into Cocoon, it could be possible to have an XML file on the
server that is addressed (via SiteMap) by the Form's Action, which contains the
information required to do stuff like:

    work out what file to update/create; 
    map Form Fields to Nodes; 
    define datatypes and ranges; 
    provide a cusomisable response
    define behaviour like form chaining

I am sure you must have had good reasons to implement this as a Servlet rather
than a Producer.

What am I missing?

regards Jeremy


      Jeremy Quinn                                             media.demon
                                                           webSpace Design
     <>       <>
      <phone:+44.[0].207.737.6831>          <>

View raw message