On Jan 14, 2008 2:11 PM, C. Bergström <[EMAIL PROTECTED]> wrote: > "INTEGRITY: HDIV guarantees integrity (no data modification) of all > the data generated by the server which should not be modified by the client > (links, hidden fields, combo values, radio buttons, destiny pages, etc.)."
not really sure what this means. how does the user modify a link or a combo value in an unexpected way? hidden fields are not a problem because there is no client state in wicket... you dont need hidden fields to pass around database ids, you keep them on the server side in session. destiny pages are also selected on server side > "EDITABLE DATA VALIDATION: HDIV eliminates to a large extent the risk > originated by attacks of type Cross-site scripting (XSS) and SQL Injection > using generic validations of the editable data (text and textarea)" we have pretty good validators as well... > "CONFIDENTIALITY: HDIV guarantees the confidentiality of the non > editable data as well. Usually lots of the data sent to the client has key > information for the attackers such as database registry identifiers, column > or table names, web directories, etc" we have this by default. database ids and the likes never make it into the url unless you choose to create a bookmarkable link that has this id as a parameter. we also provide session relative urls, and a crypt strategy which encrypts the url. not sure what more we can possibly do out of the box... -igor --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
