On Fri, 22 Nov 2002, David Graham wrote:

> Date: Fri, 22 Nov 2002 14:55:55 -0700
> From: David Graham <[EMAIL PROTECTED]>
> Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> Subject: Re: Velocity vs. JSP: objective tests?
> I've always found it amusing that people are worried about page authors
> totally screwing up the application by executing arbitrary code.  Who are
> these rogue page authors you're hiring that will destroy your app?
> "We can't pass anything but a value bean with read only properties to this
> idiot page designers or they'll screw us!".
> I'm not implying that this is your view Craig, I have heard architects use
> this argument before though.

It is, in fact, not a big concern of mine. It's one of the arguments that
Velocity advocates originally made, and is also one of things people like
Jason Hunter like about Tea (which is now on SF at
<http://teatrove.sourceforge.net>).  See Jason's thoughts about Tea on his
website <http://www.servlets.com> and the 2nd edition of "Java Servlet
Programming".  The concern, as I understand it, is not so much about
deliberately malicious page developers, but those that make errors that
are not caught prior to production deployment, which result in things like
stack traces shown to the end user.

> David


To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to