[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: [ANN] Reactive Server Pages
- From: Chris Babcock <cbabcock@...>
- Date: Thu, 5 Aug 2010 15:53:00 -0700
On Thu, Aug 5, 2010 at 3:05 PM, Henk Boom <henk@henk.ca> wrote:
> On 5 August 2010 17:18, Chris Babcock <cbabcock@asciiking.com> wrote:
>> On Thu, Aug 5, 2010 at 2:06 PM, Henk Boom <henk@henk.ca> wrote:
>>> It seems that the user can change any internal variables of the
>>> application by modifying the url, that seems like it could be a
>>> security concern in some cases. Is there a way of preventing that?
>>
>> Like any web application, you still have to validate the user data.
>> You keep your internal variables separate from the user variables and
>> only load the user values into the *real* variables when they are
>> inbounds. That's a fairly common source of bugs in web apps written by
>> programmers whose experience is mostly on the desktop.
>
> I agree. My concern is that every variable marked as reactive is
> automatically and transparently modifiable by the user.
>
> henk
That's true. Fortunately it's not relevant:
...
http://www.lua.inf.puc-rio.br/rsp/step/next
I am in step 3
http://www.lua.inf.puc-rio.br/rsp/step/?_step=0
I am in step 0
http://www.lua.inf.puc-rio.br/rsp/step/next
I am in step 4
http://www.lua.inf.puc-rio.br/rsp/step/?_step=-9
I am in step -9
http://www.lua.inf.puc-rio.br/rsp/step/next
I am in step 5
http://www.lua.inf.puc-rio.br/rsp/step/?_step=3
I am in step 3
http://www.lua.inf.puc-rio.br/rsp/step/next
Finished!
Do what you want with _step. When the _next event is triggered, _step
is initialized from i before being output to the user space.
Chris
