Mailing-List: contact cocoon-dev-help@xml.apache.org; run by ezmlm
Precedence: bulk
Reply-To: cocoon-dev@xml.apache.org
User-Agent: Microsoft-Entourage/10.0.0.1331
Date: Tue, 18 Jun 2002 00:09:28 -0700
Subject: Re: [RT] Flowmaps
From: Ovidiu Predescu <ovidiu@apache.org>
To: <cocoon-dev@xml.apache.org>
Message-ID: <B9342AB8.59A4%ovidiu@apache.org>
In-Reply-To: <20020618082230.B18670@bremen.dvs1.informatik.tu-darmstadt.de>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit

On 6/17/02 11:22 PM, "Christian Haul" <haul@dvs1.informatik.tu-darmstadt.de>
wrote:

> On 17.Jun.2002 -- 09:35 PM, Ovidiu Predescu wrote:
> 
>> 
>> - automatic binding of JavaScript variables to form values. This would allow
>> you to declare something like:
>> 
>>   var username, password;
>> 
>>   // Send a page to collect the user name and the password
>>   sendPage("login.html");
>> 
>>   // When the user fills in the form and presses the submit button, the
>>   // script restarts here. The flow engine automatically binds the username
>>   // and password to the values submitted in the form.
> 
> Don't. It was one of the biggest mistakes PHP did securitywise. Always
> access request parameters explicitly.

Yes, I read somewhere about this, but don't know the details. Can you
explain some more?

I actually like the way variables are automatically bound in WebObjects,
where you have to explicitly define the automatic binding, by mapping an
instance variable to a form parameter. I was thinking to follow a similar
pattern, and have a way to specify that a given local variable in a function
is to be bound to a form parameter. In WebObjects this association is
totally under the control of the programmer, and the same way should be done
in Cocoon.

Could this be a potential security problem?

Greetings,
Ovidiu


---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org