[GRASS-dev] GSoC 2014: GRAS GIS Web UI
epi
massimodisasha at gmail.com
Mon Mar 10 19:19:22 PDT 2014
Glynn,
I understood the risk and I agree in toto with you.
For the web-ui interface we can define the rules for each kind of entry
and publish the rules/restriction on a help page .
Then when an invalid input exception is raised the ui will point the user to read the rules page.
Massimo.
On Mar 10, 2014, at 12:02 PM, Glynn Clements <glynn at gclements.plus.com> wrote:
>
> epi wrote:
>
>> I guess the code behind the web-ui has to sanitize each text entry,
>> will be this enough ?
>>
>> A "sanitize inspection" on all the �input� coming from the web-ui
>> can be performed and this will be part of the UI itself, not of the
>> grass modules. with the aim to avoid people doing something like ..
>> http://xkcd.com/327/ ;)
>
> That's the main thing.
>
> If you allow the user to e.g. provide names for maps, such names
> should be limited to alphanumeric characters and limited to a
> reasonable length.
>
> If you allow the user to provide a list of inputs, limit both the
> maximum number of items and the total length of the resulting textual
> representation.
>
> And so on.
>
> In short, GRASS modules are designed for use by local users who
> already have shell access, so there hasn't been any need to program
> defensively. The OS prevents people from e.g. reading or writing files
> which they aren't supposed to.
>
> --
> Glynn Clements <glynn at gclements.plus.com>
More information about the grass-dev
mailing list