Chods - how exactly do you disable encoding on MY browser? If the client properly encodes data from the server before inserting it into the html, where is the issue? Nobody cares what you do with your browser. You own your browser and all it's functions. The server will validate data as appropriate to the type, and the client will encode it correctly so that non-HTML is not treated as HTML. While I can bypass this encoding in my browser and you can bypass this encoding in your browser, YOU cannot bypass this encoding in MY browser, right? If you can, please teach me. I'd love to learn.
Ext JS, like any well-designed presentation layer framework, should certainly not require the application to be aware of its existence. In fact I would suggest that if it does so it is displaying an extreme level of design schizophrenia. Ext JS supports RESTful conversations with the application layer. REST is emphatically presentation-layer agnostic as a transport. If I want to build an Ext JS user interface against my REST application as well as a headless data processing client application, I should be able to do so. If you are saying I must HTML-encode data before it leaves the application layer, I have to do one of two odious things:
1) Add another, Ext JS-aware (or at least webapp aware) layer between the REST apis and the client.
2) HTML encode my data within the application layer, requiring my headless data processing client to now be aware of an implementation detail af another, completely unrelated, client application.
into your browser and cause the HTML to not be encoded, right? I could do that, couldn't I reach into your browser and cause my own HTML to be added to your page even if you are encoding on the client?
The server should be the relied upon method of "securing" the data.....Encoded data should not be stored in the database because as a couple of people stated earlier you could end up with other "frontends"...and HTML unless using a WYSIWYG for the exact purpose of generating HTML should not be stored in the database....use bb cod eor something of the such to create tokens that can be replaced by the frontend or the server/if your server is aware of the frontend currently in use.
Last edited by dorgan; 6 Aug 2010 at 7:48 AM. Reason: typos
I'm not seeing the issue here.
No matter how you spin it, the client code is insecure (can be hacked by a malicious user). The server is where you have the ability to control the content.