You need to handle security by yourself. It just call a function like
extension but by sending JSON to php script. So if user don't escape
variables to execute sql statement, someone may use SQL Injection but
the same is with extension if you write extension
class Foo {
function get_user_info($id) {
global $db;
return json_encode($db->get_results("SELECT username, email FROM
aiki_users WHERE userid = $id'));
}
}
and create widget with url user_info
(script( $aiki->Foo->get_user_info(GET[id]); )script)
everybody can call a widget /user_info?id=10 union select username,
password from aiki_users
and get all users passwords.
If you can't write secure extensions the same will be with JSON-RPC
--
You received this bug notification because you are a member of Aiki
Framework Developers, which is subscribed to aikiframework.
https://bugs.launchpad.net/bugs/735661
Title:
JSON-RPC support is needed
Status in Aiki Framework:
Triaged
Bug description:
There sould be implementation for aiki functionality via JSON-RPC or
implementation that allow users to create one using widgets.
I found the in this file /assets/javascript/plupload/upload.php
embedded json-rpc this can be done automatically.
If you need json-rpc implementation here is mine
https://github.com/jcubic/jquery.terminal/raw/master/examples/json-
rpc.php
To manage notifications about this bug go to:
https://bugs.launchpad.net/aikiframework/+bug/735661/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~aikiframework-devel
Post to : [email protected]
Unsubscribe : https://launchpad.net/~aikiframework-devel
More help : https://help.launchpad.net/ListHelp
