On Thu, Aug 01, 2002 at 12:34:30PM -0400, Martijn Pieters wrote:
On Thu, Aug 01, 2002 at 10:29:36AM -0600, Jeffrey P Shell wrote:
Hopefully I'll get a chance to test it with some of our 2.5 sites - I have a small worry that old code on small sites that we don't have much worry about will break if this is put into a 2.5.2 or later release. Could there be a way to disable this "feature" in 2.5 via a z2/environment variable or some other configuration setting, but have it be automatic in 2.6? "Potential code breakage" and "point point release" leave me a little worried about maintaining 2.5 sites.
It may not be an issue - I have to digest the changes in more depth that I've had (or currently have) time for, but that's the thought that crossed my mind earlier.
From a technical standpoint I can indeed add a switch that would disable the occurence of tainted strings, yes. I'll discuss this with Brian, it shouldn't be hard to add.
But note that breakage only occurs when REQUEST data actually contains possibly dangerous markup, and your site was vulnerable in those areas that now break. Disabeling the tainting will leave you vulnerable.
Just checked into CVS for both 2.5 and 2.6; setting ZOPE_DTML_REQUEST_AUTOQUOTE to one of 'no', '0', or 'disabled' will disable the new tainting of strings and thus disable autoquoting. -- Martijn Pieters | Software Engineer mailto:mj@zope.com | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ ---------------------------------------------