[Cubicweb] annotating divs with rql and vid

Nicolas Chauvat nicolas.chauvat at logilab.fr
Fri May 25 10:15:45 CEST 2012

On Thu, May 24, 2012 at 09:39:24PM +0200, Sylvain Thénault wrote:
> > 2/ IMHO the direction the web is going is "write client-based apps in
> > the browser with js and query data backend with sparql". We have RQL
> > and js already, let's not move back to the standard API-based design
> > where everything must have a URL known by the developer.
> This is also a core point that will further drive the discussion. Do we
> want to be able to run sites with rql input disabled? IMO we've already 
> built a bunch of sites where the answer is definitly yes. And I think
> we'll have to build some others. Toying with CW has a price...

What would you say were the reasons to disable rql input?

> * what can't we have by disabling rql input, beside allowing user to type
>   arbitrary rql?

And the answer is ?

> * if we decide rql input is the future, then we should not delay anymore
>   working on related security concerns.

What are the security issues you think about? The security of several
sites in production was tested by third parties that did not find

Nicolas Chauvat

logilab.fr - services en informatique scientifique et gestion de connaissances  

More information about the Cubicweb mailing list