You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@wookie.apache.org by "Ross Gardler (Updated) (JIRA)" <ji...@apache.org> on 2012/01/20 15:26:39 UTC

[jira] [Updated] (WOOKIE-300) Full whitelist access granted to any widget built from a template

     [ https://issues.apache.org/jira/browse/WOOKIE-300?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ross Gardler updated WOOKIE-300:
--------------------------------

    Priority: Minor  (was: Blocker)

I was just thinking of simple string replacement from the properties file. Requiring people to edit the generated config.xml file smells to me - next time someone makes a change to the widget definition files and regenerates the widget the changes will be overwritten. I've just made that change in SVN (property name widget.access.origin with a default value of "foo.bar" which should be harmless) This is an acceptable interim solution, in my opinion (dropping priority as a result).

I agree that parsing browse URLs and such would be cool. We don't really have to wait to a move to a non-ANT build system though. Ant allows scripted tasks to be defined (see http://www.javaranch.com/journal/2003/12/ScriptingAnt.html). My intention with these kinds of "lovely to have" features was to implement them as and when using Javascript tasks and, one day, building a widget to build widgets from templates. It's a nice dream to have ;-)
                
> Full whitelist access granted to any widget built from a template
> -----------------------------------------------------------------
>
>                 Key: WOOKIE-300
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-300
>             Project: Wookie
>          Issue Type: Bug
>          Components: Template
>    Affects Versions: 0.9.2
>            Reporter: Ross Gardler
>            Priority: Minor
>             Fix For: 0.9.2
>
>
> At present the config.xml has a hard coded whitelist of '*'' - not overly secure!
> This should be parameterised and limited to the a sensible setting

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira