cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Ezkovich <>
Subject Re: [RT] since we are at it, more irons in the template fire: Xenon
Date Wed, 08 Dec 2004 22:42:07 GMT

On Dec 8, 2004, at 2:22 PM, Ralph Goers wrote:

> Glen Ezkovich said:
>> On Dec 8, 2004, at 11:10 AM, Stefano Mazzocchi wrote:
>>> I think we should call our CTemplates taglibs "lenses" instead.
>> Call them what you will. It doesn't change the core issue. If "lenses"
>> allow you access databases, send emails, invoke business methods, etc.
>> you still are inviting JSP/XSP like abuse, albeit, syntacticly not as
>> ugly. It is not what you want to use them for, but what they can be
>> used for and how they are introduced into the system that lead to
>> potential problems.
> Actually, I always thought that taglibs were the "good part" of JSPs.  
> It
> is the fact that you can code Java in them that makes them dangerous.

I stand corrected. Its the html that is the bad part. ;-) Tags are good 
in the sense that they offer encapsulation and thus promote 
reusability. What exactly is the difference if I encapsulate my java 
code in a tag or in a method? Mainly usability. It is easier for a 
non-programer to use tags then invoke methods. Ultimately it comes down 
to a method invocation. There is just one more level of indirection.

The point I attempted to make was that a template should be a template 
and not a controller or an entryway for model manipulation. JSP is MV 
and C. A template engine should just fill in the blanks with provided 
data with the assistance of metadata if necessary. As a bonus it would 
be nice to have some form of encapsulation where a template could be 
built out of other templates.

>  If
> one can control what tag libraries are available and not allow java 
> code
> in the template then SOC is possible.

unfortunately if we want to get data out of java objects we have to 
allow some code.

>  Of course, a tag library that
> allows you to code a select statement as a parameter would be awful, 
> but
> you can't control everything in life.

  And again you are right, you can't control everything. What you can do 
is limit how tags are introduced into the system. If taglibs are 
introduced by just adding a declaration in the template they are more 
likely to be abused then requiring them to be part of component 
configuration. They would be even fewer cases of abuse if one had to 
add the taglibs at compile time. I think it is reasonable to ask who is 
making the decisions on including the libraries and how easy does it 
have to be to add the libraries.

I really don't have a problem with taglibs. I don't even have a problem 
with the name. ;-)

All I would like is for the community to consider the ramifications. I 
know that no one who works with me will get away with doing something 
so egregious as using a taglib that allows select statements as a 
parameter. In the end that is all I care about. On a large project, I 
would like some way other then threats, to prevent my people from using 
such a library.

Glen Ezkovich
HardBop Consulting
glen at

A Proverb for Paranoids:
"If they can get you asking the wrong questions, they don't have to 
worry about answers."
- Thomas Pynchon Gravity's Rainbow

View raw message