Andy wrote:
You seem to be aware of the fact, but I'd like to point it out explicitely: from a security point of view, this is completely useless. As HTML stripping is often done for security reasons, I fail to see the interest in such a feature.
That depends where you do the checking, yes html validation in just a form is not as secure as checking at the application level. What I am suggesting is adding the HTML validation framework into the core of Zope so people can add checking to any level of their application as they wish. Making a standard interface to this gives a the developer chance to put the checking in at the level they choose.
If it's easy to get to I could also use it from Formulator, which, though I don't guarantee perfect security, at least has a design which makes it far less easy to fool than the Zope marshalling :foo thing (which you can fool just by writing your own HTML form). All you'd need is add a HTMLField to the system which has the right knobs to set what you exactly want to allow in entered HTML -- that's also a far better user interface than thinking up yet another marshalling :html:foo:bar strategy.. Anyway, just a module that I can import from Python that exposes the functionality would already be worth a lot having in the core; I'm loath to introducing dependencies on non-core stuff in Formulator, as it's aiming to be a very fundamental product that just should work out of the box. The only non-core dependency right now in on TALES, but it still works without it; you can also use Core Session Tracking in a simple way. Once Zope 2.5 is out I plan to start depending on sessions and TALES a lot more though, as they have those in the core. Regards, Martijn