Hello, Vincent Massol wrote: > Hi Lilianne, >
> They are content like any content file you put in your webapp root. > For example you would put JSP files there. The Velocity template are Well, yes and no. Users can't access .jsp sources, only what is generated by them. On the other hand these files are viewable, users see their code. Run the hsqldb unzip-and-run version and check http://localhost:8080/xwiki/templates/macros.vm - everything visible. Of course there shouldn't be any 'secret' things inside them, like passwords, but being able to view them might give someone an idea how to attack the rest of the code. Think about the SQL injections - the more you know about the code, the easier it is to try an sql injection attack. If you see the html code the browser normally receives, they're moderately difficult. If you see the .php source, even if it doesn't contain any connection-specific data, it makes it much easier. Of course it doesn't apply to an out-of-the-box XWiki as the source is available anyway, but it can expose custom modifications. As for .jsps, actually I do place them in /WEB-INF along with everything else that doesn't absolutely have to be in / to work (like static images, javascript, etc) behind a controller (Struts for example). And I got the impression it's a pretty common practice. > Also, why do you say they are accessible (assuming you mean writeable) > by everyone? AFAIK they are only accessible to those who have access As in anyone-can-view-the-code, not as in writeable. > > Thanks > -Vincent Greetings, Lilianne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
