Not sure what you're getting at. Are you saying one should not add his
custom JSPs to JSPWiki? By that logic you couldn't use any JSPs at
all. And
if you're linking to them through a wiki link or by simply entering
its
address in the browser location bar shouldn't make any difference in
terms
of security.
Matthias -- re-reading this thread, it is clear that I have
misinterpreted your intentions.
It is perfectly safe for a developer or admin to add JSPs to JSPWiki,
or to modify existing JSPs so that they include additional JavaScript
code. These kinds of activities can only be done by a developer or
admin who has access the filesystem. It appears that is what you
intended to do, and it's fine.
It is "mostly" safe for a wiki page to include an existing JSP via a
"special pages" link. I'm not really that thrilled that the capability
to do this exists in JSPWiki; I can imagine several obscure scenarios
where it might be abused. But that, too, isn't really a problem.
However, what I was responding to was the idea of using a wiki page to
include arbitrary JavaScript or arbitary JSP code that an author
uploads to the page. This would be incredibly unsafe. But, it's not
what you meant... so never mind. :)
Sorry -- I get a lot of e-mails every day, and I can't always read
them as closely as I'd like. As the resident paranoid around here, I'm
always looking for failure modes.
Andrew
All I am doing is adding yet another JSP to JSPWiki which uses
JavaScript
for some UI logic and asynchronous HTTP requests. If adding custom
JSPs
which make use of standard JavaScript opens security holes in
JSPWiki, then
JSPWiki may be fundamentally broken in terms of security.
Best,
Matthias
