Dave wrote: > On 3/19/07, Allen Gilliland <[EMAIL PROTECTED]> wrote: >> I'd like to suggest that we do one more thing to fix this problem >> starting in the current trunk. I'd like to go ahead and make our pojo >> wrappers static so that we can place custom code in various methods to >> handle situations like this. The problem with the current fix is that >> it relies on the fact that people are using the macros and that can't be >> guaranteed, so to truly solve this problem we need the functionality to >> be in the pojo wrappers themselves so that there is no way to get >> unescaped data. >> >> So to do this all I am planning to do is copy the current generated >> wrappers into the actual source tree and commit them, then modify the >> various getXXX() methods on the CommentDataWrapper so that they escape >> the data. >> >> Not only does this help fix this security issue at the very root level, >> but it will also open up opportunities to do more with our wrappers >> general. So is anyone else opposed to making the pojo wrappers static? >> >> I don't think this change would need to be back ported to older >> releases, so it would just go into the current trunk. > > I'm +0 on this. > > It eliminates one reason we need XDoclet, that's good. > > It opens opportunities for smarter POJO wrappers, which is good -- > but, other than comments security what else can we use that for? > > It adds more code to maintain and more code to update when a new field > or POJO is added, but I guess with a good IDE that work is negligible. > > So unless somebody else has some good solid objections, go for it. > > - Dave >
I think I know what you are trying to fix, but when we did it for Lotus Connections we didn't do it in the wrappers. I'm not sure why wrappers has to be the place, if so, it does make it uglier because of more changes to make everytime we change/add to the data model. -Elias
