Questions about identity, elements and security
9 views
Skip to first unread message
12u...@gmail.com
Feb 24, 2022, 1:27:28 PM2/24/22
to Nitrogen Project / The Nitrogen Web Framework for Erlang
Hi Nitrogeniuses,
For my big project (an ERP), I'd like to be as modular as possible, as some people will need all functionalities and others, not - so each "module" would be a Nitrogen app. Of course, some apps could be local, others, remote - all protected by https.
The idea is to have a spreading gen_server, a bit like "nprocreg", that identifies the user by questioning the database, retrieves he's rights and store them into an ETS (own by the supervisor) for all apps to know which pages he can or cannot access.
The problem is, when jumping from one app to another, how can I _securely_ pass an information to app# N that will tell it this user's already logged in or not ? (OR share the same cookie, if it is possible and a good and secure way to go ?)
About elements, I've to write some, beginning with a tree with checkboxes (something like that : https://www.jqueryscript.net/other/Collapsible-Tree-View-Checkboxes-jQuery-hummingbird.html) and a nitrogenification of an image zoom (something like that : https://www.jqueryscript.net/gallery/Feature-rich-Product-Gallery-With-Image-Zoom-xZoom.html or this : https://www.jqueryscript.net/slider/Product-Carousel-Magnifying-Effect-exzoom.html (the first one seems more appropriate for an online shop)), that present images thumbnails under the main picture and zoom this main picture when the mouse is hovering it), so which element shall I study the most that could help me the best to achieve that ?
About security, I was surprised to see that the text retrieved from a #txtbox{} or a #txtarea{} isn't html_encoded but native when using wf:q/1, which is a problem, especially about SQL injections - am I missing something about value retrieving or is the right way to do it is to manually sanitize these texts as of :
DummyJSsan = wf:js_escape(wf:q(my_txtbox))
, DummyJSandHTMLsan = wf:html_encode(DummyJSsan)
, ReadyForDBbin = unicode:characters_to_binary(DummyJSandHTMLsan, utf8)
before saving them to th DB ?
And if so, will it be correctly rendered when retrieved from DB, or shall I re-process it ?
That's all for now, but I'll be back ! ;-p)
Jean-Yves
Reply all
Reply to author
Forward
0 new messages