[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: [ANN] Reactive Server Pages
- From: Henk Boom <henk@...>
- Date: Thu, 5 Aug 2010 19:21:53 -0400
http://www.lua.inf.puc-rio.br/rsp/step/?_html=%3Cscript+type%3D%22text/javascript%22%3Ealert(%22this+could+have+been+a+malicious+script%22)%3C/script%3E
in case line wrapping broke the url:
http://bit.ly/crWYMP
>From what you were talking about before with games, putting
?_health=100 could be harmful as well (unless you make health a
non-reactive variable). I think it would make sense to have
"reactivity" and "user-controllable" be separate properties that can
be used independently, so that you can control carefully what the user
has access to.
henk
On 5 August 2010 18:53, Chris Babcock <cbabcock@asciiking.com> wrote:
> On Thu, Aug 5, 2010 at 3:05 PM, Henk Boom <henk@henk.ca> wrote:
>> On 5 August 2010 17:18, Chris Babcock <cbabcock@asciiking.com> wrote:
>>> On Thu, Aug 5, 2010 at 2:06 PM, Henk Boom <henk@henk.ca> wrote:
>>>> It seems that the user can change any internal variables of the
>>>> application by modifying the url, that seems like it could be a
>>>> security concern in some cases. Is there a way of preventing that?
>>>
>>> Like any web application, you still have to validate the user data.
>>> You keep your internal variables separate from the user variables and
>>> only load the user values into the *real* variables when they are
>>> inbounds. That's a fairly common source of bugs in web apps written by
>>> programmers whose experience is mostly on the desktop.
>>
>> I agree. My concern is that every variable marked as reactive is
>> automatically and transparently modifiable by the user.
>>
>> henk
>
>
> That's true. Fortunately it's not relevant:
>
> ...
> http://www.lua.inf.puc-rio.br/rsp/step/next
> I am in step 3
> http://www.lua.inf.puc-rio.br/rsp/step/?_step=0
> I am in step 0
> http://www.lua.inf.puc-rio.br/rsp/step/next
> I am in step 4
> http://www.lua.inf.puc-rio.br/rsp/step/?_step=-9
> I am in step -9
> http://www.lua.inf.puc-rio.br/rsp/step/next
> I am in step 5
> http://www.lua.inf.puc-rio.br/rsp/step/?_step=3
> I am in step 3
> http://www.lua.inf.puc-rio.br/rsp/step/next
> Finished!
>
> Do what you want with _step. When the _next event is triggered, _step
> is initialized from i before being output to the user space.
>
> Chris
>
