Glynn, I understood the risk and I agree in toto with you. For the web-ui interface we can define the rules for each kind of entry and publish the rules/restriction on a help page . Then when an invalid input exception is raised the ui will point the user to read the rules page.
Massimo. On Mar 10, 2014, at 12:02 PM, Glynn Clements <[email protected]> wrote: > > epi wrote: > >> I guess the code behind the web-ui has to sanitize each text entry, >> will be this enough ? >> >> A "sanitize inspection" on all the �input� coming from the web-ui >> can be performed and this will be part of the UI itself, not of the >> grass modules. with the aim to avoid people doing something like .. >> http://xkcd.com/327/ ;) > > That's the main thing. > > If you allow the user to e.g. provide names for maps, such names > should be limited to alphanumeric characters and limited to a > reasonable length. > > If you allow the user to provide a list of inputs, limit both the > maximum number of items and the total length of the resulting textual > representation. > > And so on. > > In short, GRASS modules are designed for use by local users who > already have shell access, so there hasn't been any need to program > defensively. The OS prevents people from e.g. reading or writing files > which they aren't supposed to. > > -- > Glynn Clements <[email protected]> _______________________________________________ grass-dev mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/grass-dev
