I don't like the idea to pass a ressource name to include thru the URL. It makes me think of.. well, the common flaw in some scripting languages where beginners set a filename as parameter (foo.php?inc=contact.php, which can easily be replaced with foo.php?inc=/etc/passwd).
What if you got - like most of notes databases - an "All" view, through which people might discover sensitive data ? I guess it can lead to security issues.
I don't like the idea to pass a ressource name to include thru the URL. It makes me think of.. well, the common flaw in some scripting languages where beginners set a filename as parameter (foo.php?inc=contact.php, which can easily be replaced with foo.php?inc=/etc/passwd).
What if you got - like most of notes databases - an "All" view, through which people might discover sensitive data ? I guess it can lead to security issues.