So, in this validation framework, do you envision having a parameter-validating routine being invoked whenever a publicly-exposed method is called by DTML methods, or did you want to focus on mere HTML form validation/stripping? I'm asking because I've had situations when I've needed the ability to restrict access to methods based on the values of their parameters -- that's a little more fine-grained than the current security machinery allows. I've always thought that it might be nice to provide a hook for each method in a Zope class (similar to declarative security statements), and to use this hook to validate the parameters, according to the needs of the user. For string parameters, perhaps we can also have the ability to specify a "filter" -- something like a search and replace statement, with Sed-like syntax. "Andy" <andy@agmweb.ca> wrote:
That depends where you do the checking, yes html validation in just a form is not as secure as checking at the application level. What I am suggesting is adding the HTML validation framework into the core of Zope so people can add checking to any level of their application as they wish. Making a standard interface to this gives a the developer chance to put the checking in at the level they choose.