Quoting Costin Manolache <[EMAIL PROTECTED]>: > Bojan Smojver wrote: > > > All right then, let's talk about JSP's. If I host my clients' JSP's on my > > server and a web designer puts this in (BTW, he wasn't forced, he simply > > decided he wanted to do it): > > And your proposed solution is ... ?
Don't use JSP's. I think that was very clear from the beginning of this thread. > Do you have a patch to solve this problem ? If so, send the code. IF > not - please let me know what's your point here ? Do you think we're stupid > and never heard about denial of service ? No, I don't think that anyone here is stupid - how did you get that idea? And I don't have a patch. I don't think anyone has. Furthermore, since this is not my itch any more, why would I scratch? Also I don't think that malicious people can be prevented from causing problems if they really want to. But, if you make it easy for it to happen by accident to the people that don't really understand what they're doing, that's asking for trouble (e.g. how many web designer really understand the concept of session beans?). My point is this - JSP makes it dead easy to not write MVC applications and to fiddle with Java code where you shouldn't. Jon explained it here: http://jakarta.apache.org/velocity/ymtd/ymtd.html. Bottom line: let designers design and let programmers program. > BTW, velocity _is_ a programming language - at least by the book definition, > AFAIK it is turing complete. Some things are more difficult to do, but > not impossible - you can see it as a benefit, I see it as a major lack > of flexibility. Actually, I think even Velocity can do too much. An even better template language (or whatever you want to name it - don't really care) wouldn't allow method calls etc. But that's a different story altogether... > So if you want to discuss solutions for this problem - I'm sure it'll > help other templating and programming tools as well, including velocity > ( which BTW can be a nice tool - and the lack of flexibility can be > good in some cases ). > > I don't know what to do about your web designer - who doesn't know > programming but decides to write some DOS code in his page. But I know > that the best web applications I've used so far ( including some in > php or perl ) were written by people who know a lot of programming. > You need software engineers, useability engineers - not web designers > who are clueless on programming ( and can't be trusted to not write > DOS just for fun ). I'm not talking about my web designer, I'm talking about my clients' web designers. I cannot fire my clients' employees. I also don't have any influence over what they do and don't know, how qualified they are and if they care. Again, the point is - why give people power (that they don't need anyway) and hope nothing bad will happen? Bojan ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>