[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: [ANN] Reactive Server Pages
- From: Henk Boom <henk@...>
- Date: Thu, 5 Aug 2010 18:05:51 -0400
On 5 August 2010 17:18, Chris Babcock <firstname.lastname@example.org> wrote:
> On Thu, Aug 5, 2010 at 2:06 PM, Henk Boom <email@example.com> wrote:
>> It seems that the user can change any internal variables of the
>> application by modifying the url, that seems like it could be a
>> security concern in some cases. Is there a way of preventing that?
> Like any web application, you still have to validate the user data.
> You keep your internal variables separate from the user variables and
> only load the user values into the *real* variables when they are
> inbounds. That's a fairly common source of bugs in web apps written by
> programmers whose experience is mostly on the desktop.
I agree. My concern is that every variable marked as reactive is
automatically and transparently modifiable by the user.