lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Mon, Jul 4, 2011 at 9:53 PM, David Manura <dm.lua@math2.org> wrote:
> On Mon, Jul 4, 2011 at 8:08 AM, Sebastien Lai <237482@googlemail.com> wrote:
>> PS: Since i'm writing LunarCGI all on my own, feedback is highly
>> appreciated - tell me what you like and what you don't! It will help.
>
> I rarely use Lua for web programming needs, but a few comments anyway
> since you asked...  One concern is that I understand you abandoned
> cgilua because you were looking for a more bare bones CGI
> implementation in Lua [1].  However, on scanning the code, I see maybe
> 1/3 devoted to a particular template/caching implementation, which is
> not strictly related to CGI.  You might consider placing that in a
> separate module for users who want to handle these concerns in another
> way.

When people use CGI Libraries (I'm thinking of CGI.pm from Perl or
cgi.rb from Ruby) they tend to use templates and/or output caching -
Template.pm for Perl, or erb.rb for Ruby.

Since this technique is already quite common when using CGI modules,
and when you consider how tiny the templating engine is, I thought
that it might fit well into LunarCGI, to avoid additional
dependencies, so to say.

> In fact, the particular template logic may introduce security
> holes--e.g. things that make me nervous, without seeing an extensive
> test suite, are the loadstring, especially as the sandbox exposes
> io/os
It is true that the sandbox exposes quite a few functions that might
be risky - but quite honestly I believe the programmer knows what he
does, which is why I added it... In retrospect, I understand your
concern, and in production code, I usually only use 'pairs' or
'ipairs' -- I guess the rest is really just kind of a sort of a
feature.

> and I don't see a function to HTML escape interpolated HTML
> output to guard against things like XSS.

HTML escaping is fairly trivial, but the case in which it would be
used is NOT trivial at all, as the data in '<%= %>' might be just as
well valid HTML (infact, the homepage of Lunarcgi
[http://lunarcgi.sf.net/] inserts HTML that way when parsing the
Markdown-powered pages).
The question would be where the escaping would have to take place...

> Cookie support on your TODO
> list is an important addition.  So, like you, I'd rather see a bare
> bones CGI implementation that is no more/no less than simple, robust,
> and complete.
>

In that case I have to disappoint you, with the current available
functionality of the Lua stdlib, writing a *working* barebones CGI
implementation is fairly impossible without the use of 3rdparty
libraries/dependencies, and dependencies are exactly what I try to
avoid, to make redistribution of LunarCGI as simple as only possible.