i think core WO is still plagued with the wosid cross-scripting issue too.
we patch it in ERXRequest - not sure if the patch ever made it into wonder
though...
simon
On 12 July 2011 02:43, Mike Schrag msch...@pobox.com wrote:
You have to be mindful of ever rendering any tainted strings ...
WO-Applications are indeed vulnerable to cross-site-scripting if end-users are
allowed to submit HTML.
An example would be an Online-HTML-editor which allows users to edit formatted
text in their browsers.
In order to remove unwanted and malicious code from the submitted HTML and
avoid
On 07/07/2011, at 2:12 AM, Karl wrote:
Apple isn’t Oracle (ie. it is not _insane_ when it comes to Open Source).
However, I completely agree with Chuck. There is simply no reason for Apple
to spend a millisecond thinking about open sourcing WO. It just isn’t even
on their radar screen
Hi,
It's possible in WO to have an ERXTable or over table component with editable
content?
What are the list of component we need to do that?
Thanks
Ray
___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing
WOForm wrapping ERXTable with cells containing form fields.
On Jul 12, 2011, at 9:21 AM, naneon.raym...@neuf.fr wrote:
Hi,
It's possible in WO to have an ERXTable or over table component with editable
content?
What are the list of component we need to do that?
Thanks
Ray
WOForm wrapping ERXTable with cells containing form fields.
==Cells containing form fields : it means I can use textFields in each cells
of ERXTable? Do you have an example please?
The ERXTable columns are sortable too?
On Jul 12, 2011, at 9:21 AM, naneon.raym...@neuf.fr wrote:
Hi,
It's
My recommendation is to only use cookie session ids and actually throw very
early if you get a URL session id.
Sent from my iPhone
On Jul 12, 2011, at 3:36 AM, Simon si...@potwells.co.uk wrote:
i think core WO is still plagued with the wosid cross-scripting issue too. we
patch it in
Ray,
At the end of the day, WOComponent response simply generates HTML. And when you
submit a WOComponent generated form, the browser just sends a list of form
fields and values back to the server. Tables and cells are just response
presentation layout and are not relevant to form fields.
I
Message du : 12/07/2011
De : Kieran Kelleher kelleh...@gmail.com
A : naneon.raym...@neuf.fr
Copie à : webobjects-dev@lists.apple.com
Sujet : Re: Dynamic table with editable content
Ray,
At the end of the day, WOComponent response simply generates HTML. And when you
submit a WOComponent
Rough example copied/contrived from an old component:
wo:form
webobject name = RegionTablewebobject name = RegionName
//webobject
wo:submit action = $submitRegions/wo:submit
/wo:form
RegionTable: WOTable {
item = regionDictItem;
list = regionDictArray;
I have created tables with an AjaxInPlaceEditor in a few of the columns.
Warning, they are expensive so you will have to batch your table.
Ted
Date: Tue, 12 Jul 2011 15:47:58 +0200 (CEST)
From: naneon.raym...@neuf.fr
Subject: Re: Re: Dynamic table with editable content
To: WebObjects
Thanks a lot.
I go to try it and add some stuffs.
Ray
Message du : 12/07/2011
De : Kieran Kelleher kelleh...@gmail.com
A : naneon.raym...@neuf.fr
Copie à : webobjects-dev@lists.apple.com
Sujet : Re: Dynamic table with editable content
Rough
I have created tables with an AjaxInPlaceEditor in a few of the columns.
Warning, they are expensive so you will have to batch your table.
=== Do you have a link of your example?
Ted
Date: Tue, 12 Jul 2011 15:47:58 +0200 (CEST)
From: naneon.raym...@neuf.fr
Subject: Re: Re: Dynamic table with
If anyone knows...
I'm guessing there is no easy way to use ajaxgrid with d2w. I'm
assuming I'd have to write my own look to do something like this which would
involve me mostly rewriting ajaxgrid to cram the d2w content into it. If
anyone has any suggestions I'm open.
Thanks.
-Mike
Hi List
Any thoughts on the way to go for WO Deployment?
I currently have xserve running all my instances but have been toying
with the idea of farming them out to the cloud...
Can anyone give some yay or nay on this??
Gino
___
Do not post admin
We have many servers too. Each server has many applications. Only one instance
pro application using wotaskd.
Easy to administer but we do need a lot of memory because each instance has its
own jvm.
We try to do it with tomcat but finally never change except for single server
and customer.
I've gone from XServe to the Amazon EC2/S3 system this last year and I've had
fantastic results.
A few of us are using installation scripts for the server that really put you
in control of the configuration with confidence and power.
There's a few wiki pages on it
Have to agree. We're using ec2 and puppet scripts for server build and
maintenance. Its proven to be robust and cost effective.
On 12 Jul 2011 17:05, Jesse Tayler jtay...@oeinc.com wrote:
I've gone from XServe to the Amazon EC2/S3 system this last year and I've
had fantastic results.
A few of
I never understood that JIRA. How does the bad session ID get back into the
page? I would expect a session restoration error page if a bad session ID were
maliciously injected.
Ramsey
On Jul 12, 2011, at 6:51 AM, Mike Schrag wrote:
My recommendation is to only use cookie session ids and
If you are using D2W, I believe you can use an EditList* page configuration to
do that. I've never actually used it though.
Ramsey
On Jul 12, 2011, at 6:21 AM, naneon.raym...@neuf.fr wrote:
Hi,
It's possible in WO to have an ERXTable or over table component with editable
content?
What
That patch has been languishing in my inbox for almost a year now.
On Jul 12, 2011, at 12:36 AM, Simon wrote:
i think core WO is still plagued with the wosid cross-scripting issue too. we
patch it in ERXRequest - not sure if the patch ever made it into wonder
though...
simon
On 12
I have created tables with an AjaxInPlaceEditor in a few of
the columns. Warning, they are expensive so you will have to
batch your table.
=== Do you have a link of your example?
table
tr
tha headline/ththStatus/th
/tr
wo:loop list=$thelist item=$theItem
tr
tdcolumn 1/tdtdweboboject
I am trying to add an svn commit number to the front page of my basically
headless push app. However, I am apparently doing something stupid and missing
something obvious.
I added this to the top of the build.xml script for the app (after the project
tag):
!-- Write current build and
Hi David,
So, it's just a List Page that's been Ajax-ified. It doesn't even have
an associated component, so, it's completely not embeddable in my application.
I got so close with ERModern, but unfortunately every other grid in the app is
an ajax grid and it just wouldn't look right.
This is what I do...
exec dir=..
executable=svnversion
outputproperty=svn.committed.max
errorproperty=svnversion.error
arg line=-n/
/exec
Then later...
/woapplication
chmod
Am 12.07.2011 um 15:03 schrieb Lachlan Deck:
On 07/07/2011, at 2:12 AM, Karl wrote:
Apple isn’t Oracle (ie. it is not _insane_ when it comes to Open Source).
However, I completely agree with Chuck. There is simply no reason for Apple
to spend a millisecond thinking about open sourcing
As I mentioned in a couple of the WOWODC sessions, we've had very good
experience deploying to linode.com (we currently deploy to Ubuntu).
I find the pricing model much cleaner than EC2 and the linode sizes work well
for the majority of our apps. YMMV.
On 2011-07-12, at 12:13 PM, Martin Samm
OK, just to clarify, I am a borderline illiterate when it comes to Ant, in
that, I know, mostly and fairly vaguely, that it provides an xml script to
build apps for deployment.
And how to spell it. I think.
So, just so I understand, you are saying that the first thing I have,
immediately
I thought the same thing, but evidently, I was wrong. I had another look and
AjaxLook list page. You're right Mike, it isn't a wrapper around AjaxGrid. If
you want to use an AjaxGrid in D2W, it will require you to create a list
repetition based on it.
Sorry to disappoint, but you still have
On 2011-07-12, at 11:45 AM, Ramsey Gurley wrote:
I thought the same thing, but evidently, I was wrong. I had another look and
AjaxLook list page. You're right Mike, it isn't a wrapper around AjaxGrid.
If you want to use an AjaxGrid in D2W, it will require you to create a list
You could create the dictionary it used via D2W.
Cheers, Anjo
Am 12.07.2011 um 20:45 schrieb Ramsey Gurley:
I thought the same thing, but evidently, I was wrong. I had another look and
AjaxLook list page. You're right Mike, it isn't a wrapper around AjaxGrid.
If you want to use an
On Jul 12, 2011, at 11:37 AM, Andrew Kinnie wrote:
OK, just to clarify, I am a borderline illiterate when it comes to Ant,
Add Learning Ant to your To Do list.
in that, I know, mostly and fairly vaguely, that it provides an xml script to
build apps for deployment.
And how to spell it.
here you go, i just found a WO powered site on the web that will kindly
demonstrate the issue. it is sensitive to encoding, but this link should
work in chrome and firefox (not got any IE's nearby to test):
On Jul 11, 2011, at 10:47 PM, Lars Sonchocky-Helldorf wrote:
Am 12.07.2011 um 02:49 schrieb Tim Worman:
On Jul 11, 2011, at 11:09 AM, Pascal Robert wrote:
Thanks!
I thought we'd decided on: FGP (Foie Gras Poutine).
Can combine the two: Foie Gras Poutine: it's a Wonder that
OK, that seems to work, though the build.version is coming back exported
At least it's now writing. And I am getting the dates. Progress. Thanks!
Andrew
On Jul 12, 2011, at 2:53 PM, Chuck Hill wrote:
On Jul 12, 2011, at 11:37 AM, Andrew Kinnie wrote:
OK, just to clarify, I am a
Hi All,
Does anybody have an idea what could be causing this problem? The user clicks
on an AjaxModalDialogOpener which opens the dialog. Then the user does a whole
bunch of stuff in the dialog that involves many clicks then finally clicks a
DONE link to close the dialog. The dialog has a
On Jul 12, 2011, at 1:34 PM, Andrew Kinnie wrote:
OK, that seems to work, though the build.version is coming back exported
That probably means you are running it against an exported repository, not the
original.
At least it's now writing. And I am getting the dates. Progress. Thanks!
my guess is your session is timing out. for some reason the Ajax components
produce that error instead. I've been wondering how to fix it myself.
-mike
Sent from my iPhone
On Jul 12, 2011, at 4:35 PM, Ricardo J. Parada rpar...@mac.com wrote:
Hi All,
Does anybody have an idea what could
Hi Ricardo,
On Jul 12, 2011, at 1:35 PM, Ricardo J. Parada wrote:
Does anybody have an idea what could be causing this problem? The user
clicks on an AjaxModalDialogOpener which opens the dialog. Then the user
does a whole bunch of stuff in the dialog that involves many clicks
Does it
svnversion --help
...
If invoked on a directory that is not a working copy, an exported directory
say, the program will output 'exported'.
The dir=.. part is probably wrong for your path structure. Try dir=.
On Jul 12, 2011, at 1:49 PM, Andrew Kinnie wrote:
Hmm.
Well, it's true that
On Jul 12, 2011, at 2:51 PM, Anjo Krank wrote:
You could create the dictionary it used via D2W.
Cheers, Anjo
I'm going to give this a try. I think I might be able to get something like
this working. thanks.
Am 12.07.2011 um 20:45 schrieb Ramsey Gurley:
I thought the same
On Jul 12, 2011, at 4:52 PM, Chuck Hill wrote:
Hi Ricardo,
On Jul 12, 2011, at 1:35 PM, Ricardo J. Parada wrote:
Does anybody have an idea what could be causing this problem? The user
clicks on an AjaxModalDialogOpener which opens the dialog. Then the user
does a whole bunch of
On Jul 12, 2011, at 2:45 PM, Ricardo J. Parada wrote:
On Jul 12, 2011, at 4:52 PM, Chuck Hill wrote:
Hi Ricardo,
On Jul 12, 2011, at 1:35 PM, Ricardo J. Parada wrote:
Does anybody have an idea what could be causing this problem? The user
clicks on an AjaxModalDialogOpener which
Am 12.07.2011 um 22:10 schrieb Tim Worman:
On Jul 11, 2011, at 10:47 PM, Lars Sonchocky-Helldorf wrote:
Am 12.07.2011 um 02:49 schrieb Tim Worman:
On Jul 11, 2011, at 11:09 AM, Pascal Robert wrote:
Thanks!
I thought we'd decided on: FGP (Foie Gras Poutine).
Can combine the
On Jul 12, 2011, at 3:50 PM, Lars Sonchocky-Helldorf wrote:
Well then let's better call it WOStruts or WOJSP and WOEJB … :-
WOEE
--
Chuck Hill Senior Consultant / VP Development
Practical WebObjects - for developers who want to increase their overall
knowledge of WebObjects or
On 2011-07-12, at 3:50 PM, Lars Sonchocky-Helldorf wrote:
Am 12.07.2011 um 22:10 schrieb Tim Worman:
On Jul 11, 2011, at 10:47 PM, Lars Sonchocky-Helldorf wrote:
Am 12.07.2011 um 02:49 schrieb Tim Worman:
On Jul 11, 2011, at 11:09 AM, Pascal Robert wrote:
Thanks!
I
WASP!
On Jul 12, 2011, at 12:51 PM, David Holt wrote:
On 2011-07-12, at 3:50 PM, Lars Sonchocky-Helldorf wrote:
Am 12.07.2011 um 22:10 schrieb Tim Worman:
On Jul 11, 2011, at 10:47 PM, Lars Sonchocky-Helldorf wrote:
Am 12.07.2011 um 02:49 schrieb Tim Worman:
On Jul 11, 2011,
That looks like it may be an issue with ERXWOForm._appendHiddenFieldsToResponse
instead of ERXRequest.
Do you have any other examples of where this can occur?
Ramsey
On Jul 12, 2011, at 12:32 PM, Simon wrote:
here you go, i just found a WO powered site on the web that will kindly
That's two votes for owasp it seems How does it handle new techniques
introduced by html5? Will it catch stuff like:
input onfocus=write(1) autofocus
Found a rather large list of these at html5sec.org
Ramsey
On Jul 12, 2011, at 5:05 AM, Josef Burzler wrote:
WO-Applications are indeed
On Jul 12, 2011, at 5:53 PM, Chuck Hill wrote:
On Jul 12, 2011, at 2:45 PM, Ricardo J. Parada wrote:
On Jul 12, 2011, at 4:52 PM, Chuck Hill wrote:
Hi Ricardo,
On Jul 12, 2011, at 1:35 PM, Ricardo J. Parada wrote:
Does anybody have an idea what could be causing this problem?
nice one! yeah, that works. whacks in a new text field into your page
and gives it focus :-)
https://secure.kagi.com/cgi-bin/WebObjects/PQ?wosid=3D%22%3E%3Cinput%20onfocus=write(1)%20autofocus%3E
the wosid parameter in a webobjects url is a gaping backdoor for cross
site scripting (whether you
Hi Ted,
Thanks for your help
Message du : 12/07/2011
De : Theodore Petrosky tedp...@yahoo.com
A : webobjects-dev@lists.apple.com
Copie à : naneon.raym...@neuf.fr
Sujet : Re: Dynamic table with editable content
I have created tables with an
That's my main concern. It is happening on every ERXRequest. I'd rather not
waste the cycles if it can be handled in one method on ERXWOForm. Given the
info I have now, I'd be inclined to change the boolean arg at line 251 on
ERXWOForm and mark it fixed. Are there any other examples related
Hi Guys,
I've an issue. In the ERXResponseRewriter is a method called
addStylesheetResourceInHead(...). This method adds the stylesheet right before
the /head tag.
According to CSS style inheritance, I should load the CSS in proper sequence.
The CSS I'm adding is the base CSS but because it's
On Jul 12, 2011, at 4:29 PM, Ricardo J. Parada wrote:
On Jul 12, 2011, at 5:53 PM, Chuck Hill wrote:
On Jul 12, 2011, at 2:45 PM, Ricardo J. Parada wrote:
On Jul 12, 2011, at 4:52 PM, Chuck Hill wrote:
Hi Ricardo,
On Jul 12, 2011, at 1:35 PM, Ricardo J. Parada wrote:
Does anybody have
the general idea behind the OWASP approach is to provide encoders that
will make your user input strings safe so that they wont activate some
malicious scripting. The other thing it provides is the ability to define
parameter specific whitelists that can be validated using REGEX
expressions to
That is one case, but I think there are others. I don't think that an
ERXWOForm fix is going to get them all.
On Jul 12, 2011, at 5:23 PM, Ramsey Gurley wrote:
That's my main concern. It is happening on every ERXRequest. I'd rather not
waste the cycles if it can be handled in one method
57 matches
Mail list logo
