Markus Joschko wrote > Of course. But normally its well defined what you expect the user to enter. > Be it a blog comment (title, text, mail) or an order or whatever. > The developer knows about the syntax and semantics of these properties. > Not so for properties that are added by the user when circumventing the UI. > How should they be validated? Are they maybe accidentally rendered by > a defaultservlet? > Can the content be used for XSS then? etc. > The security guys that I had to work with are keen on controlling the > data. You don't need the data? Then why would you store it?
I can completly understand the security concern - you don't want people to add or change arbitrary properties somewhere in your repository. So it really makes sense to restrict this, >> >> Not necessarily, I would opt for validation inside servlet filters, custom >> POST script/servlet or sling post processor. Node types should only be >> used for things that you know are really fixed and won't change much in >> the future. Such as the common nt:file and nt:folder definitions in the >> JCR spec. > > OK, then you'd keep all rules that define your model and the > validation rules "in code" (or configured elsewhere). > You just don't use the abilities of the JCR to check node properties. Now, as soon as you start using node types you might hit limitations later on as it might be hard to update your node type - same with databases; but it's possible though. But unfortunately I guess the node type definitions are not sufficient when it comes to data validation - you can't specify ranges for example etc. So you need additional validation anyway. > That makes me want to have a controller to validate my data against my > model and only pass the verified data to the view to render it ;-) > Can filters be used for that task? You could use filters or you could also use the SlingPostProcessor concept. Handling this in a filter is more general as it would cover all write operations not only those done through the default Sling post servlet (you can write your own post servlets for example) Regards Carsten -- Carsten Ziegeler [email protected]
