In fact, the question is always: where is the limit between content and code? what's presentation layer and what's business layer? :) JSP should never contain any code in modern web architecture and only be presentation layer... PHP often mixes both but this can be limited using a good PHP framework...
Anyway JSP and PHP are always hidden and you only see the result. XWiki allows putting Velocity scripts in any document (and soon Groovy). Logic in content... Then where is the limit????... I would answer: where you want it to be... There is no universal rule about this and I think this is one strength of XWiki... You can change it in what you need... But I see what you mean... it can be disturbing that people can directly see VM scripts which seem to be the basic scripts of XWiki... I don't know the exact point of view of Vincent about this but I think you can customize as you want, it shouldn't be complicated... br Pascal On Thu, Jun 12, 2008 at 9:54 AM, Lilianne E. Blaze < [EMAIL PROTECTED]> wrote: > Hello, > > Vincent Massol wrote: > > Hi Lilianne, > > > > > They are content like any content file you put in your webapp root. > > For example you would put JSP files there. The Velocity template are > > Well, yes and no. Users can't access .jsp sources, only what is > generated by them. > > On the other hand these files are viewable, users see their code. Run > the hsqldb unzip-and-run version and check > http://localhost:8080/xwiki/templates/macros.vm - everything visible. > > Of course there shouldn't be any 'secret' things inside them, like > passwords, but being able to view them might give someone an idea how to > attack the rest of the code. Think about the SQL injections - the more > you know about the code, the easier it is to try an sql injection > attack. If you see the html code the browser normally receives, they're > moderately difficult. If you see the .php source, even if it doesn't > contain any connection-specific data, it makes it much easier. > > Of course it doesn't apply to an out-of-the-box XWiki as the source is > available anyway, but it can expose custom modifications. > > As for .jsps, actually I do place them in /WEB-INF along with everything > else that doesn't absolutely have to be in / to work (like static > images, javascript, etc) behind a controller (Struts for example). And I > got the impression it's a pretty common practice. > > > Also, why do you say they are accessible (assuming you mean writeable) > > by everyone? AFAIK they are only accessible to those who have access > > As in anyone-can-view-the-code, not as in writeable. > > > > > Thanks > > -Vincent > > > Greetings, Lilianne > > > _______________________________________________ > devs mailing list > devs@xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list devs@xwiki.org http://lists.xwiki.org/mailman/listinfo/devs
