Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Velocity Wiki" for change notification.
The following page has been changed by NathanBubna:
http://wiki.apache.org/velocity/BuildingSecureWebApplications------------------------------------------------------------------------------
* '''Velocity is a templating tool, not a framework.''' It does not address any issues of authentication, access control, session state, or data persistence.
* '''VTL method calls are actually Java method calls.''' This means that a poorly designed velocity application can allow template designers to alter the system state, execute direct SQL queries or even instantiate arbitrary Java classes. Potential security consequences of this are discussed in more detail below.
- * '''VTL references have Java types.''' Although this is not visible to the template writer, each reference is a java object with a particular type. If $apple is an integer "1", $orange is a string "1" and $banana is a double "1.0", none of these objects are == according to VTL. This can be confusing to the typical non-technical HTML template designer.
+ * '''VTL references have Java types.''' Although this is not visible to the template writer, each reference is a java object with a particular type. If $apple is an integer "1", $orange is a string "1" and $banana is a double "1.0", none of these objects are == according to VTL. This can be confusing to the typical non-technical HTML template designer. (Actually, as of Velocity 1.5, if objects are not of the same type, a comparison of their string values is done. So, $apple and $orange are now == in VTL.)
---------------------------------------------------------------------
To unsubscribe, e-mail:
dev-unsubscribe@...
For additional commands, e-mail:
dev-help@...
