[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: LunarCGI (was Re: CGI.lua - A native CGI Interface)
- From: Sebastien Lai <237482@...>
- Date: Tue, 5 Jul 2011 00:12:50 +0200
On Mon, Jul 4, 2011 at 9:53 PM, David Manura <email@example.com> wrote:
> On Mon, Jul 4, 2011 at 8:08 AM, Sebastien Lai <firstname.lastname@example.org> wrote:
>> PS: Since i'm writing LunarCGI all on my own, feedback is highly
>> appreciated - tell me what you like and what you don't! It will help.
> I rarely use Lua for web programming needs, but a few comments anyway
> since you asked... One concern is that I understand you abandoned
> cgilua because you were looking for a more bare bones CGI
> implementation in Lua . However, on scanning the code, I see maybe
> 1/3 devoted to a particular template/caching implementation, which is
> not strictly related to CGI. You might consider placing that in a
> separate module for users who want to handle these concerns in another
When people use CGI Libraries (I'm thinking of CGI.pm from Perl or
cgi.rb from Ruby) they tend to use templates and/or output caching -
Template.pm for Perl, or erb.rb for Ruby.
Since this technique is already quite common when using CGI modules,
and when you consider how tiny the templating engine is, I thought
that it might fit well into LunarCGI, to avoid additional
dependencies, so to say.
> In fact, the particular template logic may introduce security
> holes--e.g. things that make me nervous, without seeing an extensive
> test suite, are the loadstring, especially as the sandbox exposes
It is true that the sandbox exposes quite a few functions that might
be risky - but quite honestly I believe the programmer knows what he
does, which is why I added it... In retrospect, I understand your
concern, and in production code, I usually only use 'pairs' or
'ipairs' -- I guess the rest is really just kind of a sort of a
> and I don't see a function to HTML escape interpolated HTML
> output to guard against things like XSS.
HTML escaping is fairly trivial, but the case in which it would be
used is NOT trivial at all, as the data in '<%= %>' might be just as
well valid HTML (infact, the homepage of Lunarcgi
[http://lunarcgi.sf.net/] inserts HTML that way when parsing the
The question would be where the escaping would have to take place...
> Cookie support on your TODO
> list is an important addition. So, like you, I'd rather see a bare
> bones CGI implementation that is no more/no less than simple, robust,
> and complete.
In that case I have to disappoint you, with the current available
functionality of the Lua stdlib, writing a *working* barebones CGI
implementation is fairly impossible without the use of 3rdparty
libraries/dependencies, and dependencies are exactly what I try to
avoid, to make redistribution of LunarCGI as simple as only possible.