24 Nov
2010
24 Nov
'10
2:19 p.m.
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for
performances and most of all for security) to have velocity in
translation messages which makes $xwiki.parseMessage useless and some
other would say a security hole (see
http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
--
Thomas Mortagne
24 Nov
24 Nov
2:22 p.m.
On Wed, Nov 24, 2010 at 14:19, Thomas Mortagne
<thomas.mortagne(a)xwiki.com> wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for
performances and most of all for security) to have velocity in
translation messages which makes $xwiki.parseMessage useless and some
other would say a security hole (see
http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
I forgot to indicate that the alternative (since a very long time) is
to use $msg.get(String key, List< ? > params) and i really doubt we
really need velocity for anything else than putting in the middle of a
translation some value depending of the context (like the document
name when printing an error and things like that).
--
Thomas Mortagne
--
Thomas Mortagne
2:27 p.m.
On 11/24/2010 02:19 PM, Thomas Mortagne wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for
performances and most of all for security) to have velocity in
translation messages which makes $xwiki.parseMessage useless and some
other would say a security hole (see
http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
+1.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
2:29 p.m.
+1
On Wed, Nov 24, 2010 at 2:19 PM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com>wrote;wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation
message.
Thing it for me it's very bad (bad design and very bad for
performances and most of all for security) to have velocity in
translation messages which makes $xwiki.parseMessage useless and some
other would say a security hole (see
http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
--
Thomas Mortagne
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
2:39 p.m.
+1
Alex
On 11/24/2010 02:19 PM, Thomas Mortagne wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for
performances and most of all for security) to have velocity in
translation messages which makes $xwiki.parseMessage useless and some
other would say a security hole (see
http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
2:45 p.m.
+1
Thanks,
Marius
On 11/24/2010 03:19 PM, Thomas Mortagne wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for
performances and most of all for security) to have velocity in
translation messages which makes $xwiki.parseMessage useless and some
other would say a security hole (see
http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
25 Nov
25 Nov
8:42 a.m.
+1
Denis
On Wed, Nov 24, 2010 at 14:45, Marius Dumitru Florea <
mariusdumitru.florea(a)xwiki.com> wrote:
+1
Thanks,
Marius
On 11/24/2010 03:19 PM, Thomas Mortagne wrote:
--
Denis Gervalle
SOFTEC sa - CEO
eGuilde sarl - CTO
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation
message.
Thing it for me it's very bad (bad design and very bad for
performances and most of all for security) to have velocity in
translation messages which makes $xwiki.parseMessage useless and some
other would say a security hole (see
http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that
anymore.
WDYT ?
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
9:09 a.m.
6 +1, doing it now
On Wed, Nov 24, 2010 at 14:19, Thomas Mortagne
<thomas.mortagne(a)xwiki.com> wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for
performances and most of all for security) to have velocity in
translation messages which makes $xwiki.parseMessage useless and some
other would say a security hole (see
http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
--
Thomas Mortagne
--
Thomas Mortagne
5181
days inactive
5182
days old
7 comments
6 participants
participants (6)
-
Alex Busenius -
Denis Gervalle -
Jerome Velociter -
Marius Dumitru Florea -
Sergiu Dumitriu -
Thomas Mortagne