Re: [xwiki-devs] Why /templates not in /WEB-INF?

Tiago Rinck Caveden wrote: That is one of the things Open Source lists as a strong point, the ability to view the code and see how it works. Sure, people are afraid that attackers can see holes in the source and take advantage of them, but that is the closed source way of thinking. But it is well known that it never prevents attacks from happening. On the other hand, when the code can be seen by anyone, good hackers can detect those holes and provide patches for them before a bad cracker gets the idea to try and attack the site. The open model is always better. Let's put it this way, if an attacker wants to attack a site, he will do it with or without the code. If a good hacker wants to help, he won't do it if he has to reverse engineer. He can't provide a patch if he doesn't have something to patch first. So a hidden hole is more likely to remain a hole than an open one. Anyway, the way XWiki is made, the templates can be (re)placed in many ways, not only as files in /templates/, but as files in /skins/XYZ/, attachments to a wiki document, or fields in a wiki object. This makes XWiki the most flexible and customizable web development platform ever, but requires that you take care of your code, as it will always be open (for viewing). One solution around this would be to have a custom file with macros, placed in WEB-INF, and registered as a global macro file in velocity.properties (note that this doesn't work starting with 1.5, as global macros work differently in the new velocity component). The restriction is that only macros can be used that way, and not actual templates. You can, however, define each "template" code as a macro, and put only one macro call in the actual template file. -- Sergiu Dumitriu http://purl.org/net/sergiu/