[xwiki-devs] [Proposal] Deprecate $xwiki.parseMessage
Hi devs, $xwiki.parseMessage is used to parse velocity located in a translation message. Thing it for me it's very bad (bad design and very bad for performances and most of all for security) to have velocity in translation messages which makes $xwiki.parseMessage useless and some other would say a security hole (see http://jira.xwiki.org/jira/browse/XWIKI-5684). So I propose to deprecate it in 2.7 to make sure we don't use that anymore. WDYT ? -- Thomas Mortagne
On Wed, Nov 24, 2010 at 14:19, Thomas Mortagne <[email protected]> wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for performances and most of all for security) to have velocity in translation messages which makes $xwiki.parseMessage useless and some other would say a security hole (see http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
I forgot to indicate that the alternative (since a very long time) is to use $msg.get(String key, List< ? > params) and i really doubt we really need velocity for anything else than putting in the middle of a translation some value depending of the context (like the document name when printing an error and things like that).
-- Thomas Mortagne
-- Thomas Mortagne
On 11/24/2010 02:19 PM, Thomas Mortagne wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for performances and most of all for security) to have velocity in translation messages which makes $xwiki.parseMessage useless and some other would say a security hole (see http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
+1. -- Sergiu Dumitriu http://purl.org/net/sergiu/
+1 On Wed, Nov 24, 2010 at 2:19 PM, Thomas Mortagne <[email protected]>wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for performances and most of all for security) to have velocity in translation messages which makes $xwiki.parseMessage useless and some other would say a security hole (see http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
-- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
+1 Alex On 11/24/2010 02:19 PM, Thomas Mortagne wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for performances and most of all for security) to have velocity in translation messages which makes $xwiki.parseMessage useless and some other would say a security hole (see http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
+1 Thanks, Marius On 11/24/2010 03:19 PM, Thomas Mortagne wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for performances and most of all for security) to have velocity in translation messages which makes $xwiki.parseMessage useless and some other would say a security hole (see http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
+1 Denis On Wed, Nov 24, 2010 at 14:45, Marius Dumitru Florea < [email protected]> wrote:
+1
Thanks, Marius
On 11/24/2010 03:19 PM, Thomas Mortagne wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for performances and most of all for security) to have velocity in translation messages which makes $xwiki.parseMessage useless and some other would say a security hole (see http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
-- Denis Gervalle SOFTEC sa - CEO eGuilde sarl - CTO
6 +1, doing it now On Wed, Nov 24, 2010 at 14:19, Thomas Mortagne <[email protected]> wrote:
Hi devs,
$xwiki.parseMessage is used to parse velocity located in a translation message.
Thing it for me it's very bad (bad design and very bad for performances and most of all for security) to have velocity in translation messages which makes $xwiki.parseMessage useless and some other would say a security hole (see http://jira.xwiki.org/jira/browse/XWIKI-5684).
So I propose to deprecate it in 2.7 to make sure we don't use that anymore.
WDYT ?
-- Thomas Mortagne
-- Thomas Mortagne
participants (6)
-
Alex Busenius -
Denis Gervalle -
Jerome Velociter -
Marius Dumitru Florea -
Sergiu Dumitriu -
Thomas Mortagne