On Fri, 22 Nov 2002, David Graham wrote:
> Date: Fri, 22 Nov 2002 14:55:55 -0700 > From: David Graham <[EMAIL PROTECTED]> > Reply-To: Struts Developers List <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Velocity vs. JSP: objective tests? > > I've always found it amusing that people are worried about page authors > totally screwing up the application by executing arbitrary code. Who are > these rogue page authors you're hiring that will destroy your app? > > "We can't pass anything but a value bean with read only properties to this > idiot page designers or they'll screw us!". > > I'm not implying that this is your view Craig, I have heard architects use > this argument before though. > It is, in fact, not a big concern of mine. It's one of the arguments that Velocity advocates originally made, and is also one of things people like Jason Hunter like about Tea (which is now on SF at <http://teatrove.sourceforge.net>). See Jason's thoughts about Tea on his website <http://www.servlets.com> and the 2nd edition of "Java Servlet Programming". The concern, as I understand it, is not so much about deliberately malicious page developers, but those that make errors that are not caught prior to production deployment, which result in things like stack traces shown to the end user. > David Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
