[Cubicweb] annotating divs with rql and vid

Sylvain Thénault sylvain.thenault at logilab.fr
Fri May 25 12:13:34 CEST 2012


On 25 mai 10:43, Sylvain Thénault wrote:
> On 25 mai 10:20, aurélien campéas wrote:
> > 2012/5/25 Nicolas Chauvat <nicolas.chauvat at logilab.fr>
> That was a real question. IMO there is only a few cube/application actually
> relying on this and without an easy alternative option (eg eid=1234).
> 
> > > > * if we decide rql input is the future, then we should not delay anymore
> > > >   working on related security concerns.
> > >
> > > What are the security issues you think about? The security of several
> > > sites in production was tested by third parties that did not find
> > > breaches.
> 
> LOL

That sounded more harsh than desired. To make things clear: cw is fine with
security concerns such as XSS, SQL injection, etc. It isn't with DoS on sites
where rql input hasn't been disabled. And currently disabling rql input means
loosing a bunch of the default automatic ui functionnalities, and so needs an
almost full new interface.

-- 
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (09.54.03.55.76)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org


More information about the Cubicweb mailing list