Velocity does do a lot to minimize the risk you mention, but while we're
using stupid coding tricks, couldn't you do the following in Velocity?
#* assume strings is a Vector *#
#set ($strings = $request.getParameter("strings")))
#foreach ($string in $strings)
$strings.addElement($string.clone());
#end
-----Original Message-----
From: Geir Magnusson Jr. [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 18, 2001 8:50 AM
To: [EMAIL PROTECTED]
Subject: Re: Jasper performance
Dennis Doubleday wrote:
>
> At 07:51 AM 5/18/01, Geir wrote:
>
> >Those aren't comparable, 'Velocity templates' and 'general purpose
> >servlet container', because Velocity is just a template tool - you
still
> >need the servlet and servlet container.
>
> That was exactly my point when I said Velocity doesn't really do
anything
> to prevent DOS attacks, either. Any Velocity app requires a servlet
> back-end, and if I'm going to host user apps, I'm going to have to let
them
> install servlets, in which case they can put in the same ever-looping
code.
>
Definitely. Agreed. There is no silver bullet.
I guess the point is that you remove a little of the risk, as a designer
can't
<% while(true); %>
(although as JSP compilers get better, I am sure this stuff can be found
and flagged...)
This is not intended to disparage designers : it's just a different
talent set. My use of color has been described as dangerous, bordering
on criminal :)
geir
--
Geir Magnusson Jr. [EMAIL PROTECTED]
System and Software Consulting
Developing for the web? See http://jakarta.apache.org/velocity/
"still climbing up to the shoulders..."
