On 4/6/11 7:43 PM, Roger wrote: [..]
I think to protect the form is just a part of a concept. Another part must be to prevent to inject JavaScript in user generated content. If an application allows to post JS in a blog post or comment etc. it should be possible to use easydmx to read and re-use the secure form token. (not approved but should work)
For that reason both CMF as well as Plone "clean" user input by stripping nasty tags and such - at least per default. Raphael
One of my bigger concern is also that such a token will break a lot of our tests which whould force us to use custom non security token generating form classes.
I'm fine in general for implement such a concept in z3c.form but it should be optional. Why not offer additional form classes or a mixin for support such token?
Regards Roger Ineichen
Laurence
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )