cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hunsberger, Peter" <>
Subject RE: A case of SQL injection
Date Tue, 05 Nov 2002 17:29:57 GMT
> For things like SQL, transformers and the sitemap simple filtering
> should do it. We just need to make sure each individual parameter is ok.
> Everything else is up to the webapp's decision. Plain filtering would
> solve problems where we cannot supply webapp-like logic. Your example is
> definitely a webapp case ;)

I guess I'm ok with that.  However, I'm not sure why you  draw the
distinction between simple filtering and "other things" that are best left
up to the web app?  Why not just leave it all up to the web app?

>> Adding yet another bit of semantics and complexity to the sitemap each
>> we hit a problem is starting to strike me as a bad way to go. Next thing
>> know we'll be promoting having a eXtensible Sitemap Language as a feature
>> Cocoon and there will be entire books devoted on just how to write a
>> sitemap (maybe that's not such a bad idea even now :-)...
> I know... I also not in favor on the sitemap example I gave ;)

Hmm, no comment on using DTD and schema to achieve parameter validation
instead?  I guess it could be overkill, but it's certainly more in keeping
with standard XML transformation principles?

To unsubscribe, e-mail:
For additional commands, email:

View raw message