struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Velocity vs. JSP: objective tests?
Date Fri, 22 Nov 2002 22:24:01 GMT


On Fri, 22 Nov 2002, David Graham wrote:

> Date: Fri, 22 Nov 2002 14:55:55 -0700
> From: David Graham <dgraham1980@hotmail.com>
> Reply-To: Struts Developers List <struts-dev@jakarta.apache.org>
> To: struts-dev@jakarta.apache.org
> Subject: Re: Velocity vs. JSP: objective tests?
>
> I've always found it amusing that people are worried about page authors
> totally screwing up the application by executing arbitrary code.  Who are
> these rogue page authors you're hiring that will destroy your app?
>
> "We can't pass anything but a value bean with read only properties to this
> idiot page designers or they'll screw us!".
>
> I'm not implying that this is your view Craig, I have heard architects use
> this argument before though.
>

It is, in fact, not a big concern of mine. It's one of the arguments that
Velocity advocates originally made, and is also one of things people like
Jason Hunter like about Tea (which is now on SF at
<http://teatrove.sourceforge.net>).  See Jason's thoughts about Tea on his
website <http://www.servlets.com> and the 2nd edition of "Java Servlet
Programming".  The concern, as I understand it, is not so much about
deliberately malicious page developers, but those that make errors that
are not caught prior to production deployment, which result in things like
stack traces shown to the end user.

> David

Craig


--
To unsubscribe, e-mail:   <mailto:struts-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-dev-help@jakarta.apache.org>


Mime
View raw message