I am sure that most of the people would try to use a basic functional
trick here:
(* Version 1 *)
fun validate_and_apply f = return {}
fun handler u f = validate_and_apply f ; redirect u
fun form (u:url) : transaction xbody = reutrn <xml><form>...<submit
action={handler u}/></form></xml>
fun viewA (idx:int) = template ( f<- form (url (viewA idx)); return
<xml>{f}</xml>)
fun viewB (idx:int) = template ( f<- form (url (viewB idx)); return
<xml>{f}</xml>)
...
The "Input to exported function 'FormBug3/handler' involves one or
more types that are disallowed for page handler inputs: Basis.url"
will appear.
You can get around this issue by using type [string] instead of
[url]. Use [show] to convert [url] to [string], then use [bless] to
convert back. I've done this before for various sites. You can even
use [Basis.currentUrl] to get the current URL, without forcing each
caller of the redirecting function to construct the URL explicitly.
Note that this is _not_ a case of unjustifiable draconian behavior by
the compiler, since [bless] will do run-time checking that URLs follow
the policy you've configured in .urp files.
Well, for some reason I didn't take into account that 'show' instance is
defined for the url type. I agree, this approach should work for now.
But this way we handle basic cases only. For example, if I add one
trivial requirement to my login forms task - "views should print errors
in case of invalid login attempt" - then `form' function will need
(string -> url) function argument rather than constant url and, thus,
specializations. I can't see stable solution, that is why I'm so nervous
about this problem.
By the way, you mentioned other frameworks which assigns urls to
continuations. I suppose it makes it possible to attack such servers by
forcing it into creating more and more continuations. But it is
interesting to read how the authors reason about the security. Could you
point me to some reading about this?
_______________________________________________
Ur mailing list
[email protected]
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
