Jean-Christophe Kermagoret wrote:
I think Raphael speaked more about those annoying "Script error in page, line..." Debug or Cancel? dialog boxes than about security. It is amazing how many newbies I have seen staring into the Javascript debugger in Windows.Luta, Raphael (VUN) wrote:De : Jean-Christophe Kermagoret [mailto:[EMAIL PROTECTED]]I agree with what you are saying but :
It's possible to have this kind of behaviour with a javascript function that values the "action" and "template" parameter for each case. For example :
function SubmitDefault() {
form.....action.value = "MyDefaultPortletAction";
form.....template.value = "MyDefaultTemplate.vm" ;
}
function SubmitToUpdate() {
form.....action.value = "MyUpdatePortletAction";
form.....template.value = "MyUpdateTemplate.vm" ;
}
...
What are the reasons to use several action and template variables ?
You probably don't want to do this in JS, for 3 reasons:
- you don't trust your client (and if you do, you should not :)
- you can't guarantee that your client will actually execute the
code
- you break the MVC pattern by encoding controller information in your template and tying your different templates together
IMO, you should never explicitely set a template from another
one but always abstract your application flow through a "state"
that is mapped to a template view by your controller code.
It also makes it much easier to validate the current state of the
application.
--
Rapha�l Luta - [EMAIL PROTECTED]
Jakarta Jetspeed - Enterprise Portal in Java
http://jakarta.apache.org/jetspeed/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
1 - I can bypass security with hidden fields the same way I could bypass it with JS
This depends largely on your target. With Javascript you can spoil completely the possibility (for instance) of Google indexing your page. I've seen quite a few such examples. Or have a page where no link works with Mozilla or a Nokia phone, for instance.2 - Almost everybody has javascript enabled
3 - Using JS is like your hidden fields : designers can change them without breaking anything.You are introducing unneeded complexity just where you cannot control it. (Occam's razor?)
I still don't see any differences. Where are my glasses :-)
Go look for them, truly. ;-)
--
Jean-Christophe Kermagoret
[EMAIL PROTECTED]
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
