Hi,
I am a great fan of RESTXQ, however there seems to be a security concern with the current BaseX implementation when used without additional layers to top. This is that the source code is available for anyone to view.
E.g. with the standard installation http://localhost:8984/restxq/ is the restxq demo but
http://localhost:8984/restxq.xqm reveals the source. I have pondered small changes to the implementation that would address this, e.g maybe the RESTXQ code could go in WEB-INF folders or similar.
Regards
/Andy
Message: 1
Date: Fri, 17 Aug 2012 14:26:12 -0400
From: Colin McEnearney <colinmcenearney@gmail.com>
To: basex-talk@mailman.uni-konstanz.de
Subject: [basex-talk] restxq
Message-ID:
<CAPh7s+KPgb95fFRxGdyKUaKcv=pkV5LVhjUOR+EVOiqQmK2oWw@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
This is a newbie email.
I've been using basex for some time for its xquery engine (which is
awesome) but never in production or for web development. I have some small
projects coming up and looking at it for the db side of a web app I just
noticed RESTXQ - looks really cool!
I'm not really a developer but I use xquery every day at work and so would
love to use it - exclusively if possible. Does restxq mean that you can
serve a site with no client (php, ruby, etc) in between the db and the
html?
basex <-> html
That would be so simple and fun, and quite useful for a blog or other
not-too-huge type of thing.
Or is that totally crazy for security reasons?
Colin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.uni-konstanz.de/pipermail/basex-talk/attachments/20120817/a2cc43f0/attachment-0001.html>
------------------------------
Message: 2
Date: Sat, 18 Aug 2012 08:13:23 +0200
From: Dirk Kirsten <dk@basex.org>
To: Colin McEnearney <colinmcenearney@gmail.com>
Cc: basex-talk@mailman.uni-konstanz.de
Subject: Re: [basex-talk] restxq
Message-ID:
<CA+QqkSpiSBFe6COYHwHWU0qv5m2+T9M=goJbiR_9xEtuqp9F6g@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello Colin,
Thanks for your feedback and your excitement about XQuery!
Your inquiry is neither newbie-like nor crazy :) We at BaseX, too, love
developing completely in the X-Stack. We use RestXQ quite extensively in
commercial products and do basically everything with XML-technology. So
typically we have BaseX as a persistent layer and use XQuery in combination
with RestXQ to implement the business logic. We also use XForms (e.g. using
xsltforms or betterforms), which is very nice to create forms.
Also, using the development stack feels quite natural, as HTML is also just
a XML dialect and so you always use the same technology.
Cheers,
Dirk
On Fri, Aug 17, 2012 at 8:26 PM, Colin McEnearney <colinmcenearney@gmail.com
> wrote:
> This is a newbie email.
>
> I've been using basex for some time for its xquery engine (which is
> awesome) but never in production or for web development. I have some small
> projects coming up and looking at it for the db side of a web app I just
> noticed RESTXQ - looks really cool!
>
> I'm not really a developer but I use xquery every day at work and so would
> love to use it - exclusively if possible. Does restxq mean that you can
> serve a site with no client (php, ruby, etc) in between the db and the
> html?
>
> basex <-> html
>
> That would be so simple and fun, and quite useful for a blog or other
> not-too-huge type of thing.
>
> Or is that totally crazy for security reasons?
>
>
> Colin
>
> _______________________________________________
> BaseX-Talk mailing list
> BaseX-Talk@mailman.uni-konstanz.de
> https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.uni-konstanz.de/pipermail/basex-talk/attachments/20120818/551ced48/attachment-0001.html>