On Dec 8, 2004, at 2:22 PM, Ralph Goers wrote:
Glen Ezkovich said:On Dec 8, 2004, at 11:10 AM, Stefano Mazzocchi wrote:
I think we should call our CTemplates taglibs "lenses" instead.
Call them what you will. It doesn't change the core issue. If "lenses" allow you access databases, send emails, invoke business methods, etc. you still are inviting JSP/XSP like abuse, albeit, syntacticly not as ugly. It is not what you want to use them for, but what they can be used for and how they are introduced into the system that lead to potential problems.
Actually, I always thought that taglibs were the "good part" of JSPs. It
is the fact that you can code Java in them that makes them dangerous.
I stand corrected. Its the html that is the bad part. ;-) Tags are good in the sense that they offer encapsulation and thus promote reusability. What exactly is the difference if I encapsulate my java code in a tag or in a method? Mainly usability. It is easier for a non-programer to use tags then invoke methods. Ultimately it comes down to a method invocation. There is just one more level of indirection.
The point I attempted to make was that a template should be a template and not a controller or an entryway for model manipulation. JSP is MV and C. A template engine should just fill in the blanks with provided data with the assistance of metadata if necessary. As a bonus it would be nice to have some form of encapsulation where a template could be built out of other templates.
If
one can control what tag libraries are available and not allow java code
in the template then SOC is possible.
unfortunately if we want to get data out of java objects we have to allow some code.
Of course, a tag library that
allows you to code a select statement as a parameter would be awful, but
you can't control everything in life.
And again you are right, you can't control everything. What you can do is limit how tags are introduced into the system. If taglibs are introduced by just adding a declaration in the template they are more likely to be abused then requiring them to be part of component configuration. They would be even fewer cases of abuse if one had to add the taglibs at compile time. I think it is reasonable to ask who is making the decisions on including the libraries and how easy does it have to be to add the libraries.
I really don't have a problem with taglibs. I don't even have a problem with the name. ;-)
All I would like is for the community to consider the ramifications. I know that no one who works with me will get away with doing something so egregious as using a taglib that allows select statements as a parameter. In the end that is all I care about. On a large project, I would like some way other then threats, to prevent my people from using such a library.
Glen Ezkovich HardBop Consulting glen at hard-bop.com http://www.hard-bop.com
A Proverb for Paranoids:
"If they can get you asking the wrong questions, they don't have to worry about answers."
- Thomas Pynchon Gravity's Rainbow
