Hi there, I'm working with Chuck Burdick on some changes to ZFormulator that allow arbitrary DTML in some field definitions. Chuck got it working by doing this: HTML(foo).__call__(self) where 'foo' is a string that may contain DTML statements. This appears to work, but does not do any security checks; if the DTML for instance contains this: <dtml-var locked> where 'locked' is a DTML Method that should be inaccessible by anonymous ('view' and 'access contents information' both turned off), the code happily continues and lets anonymous view 'locked' just fine. How to pass along authentication information to the HTML() object? (am I asking the right question?) Is there any documentation on how this works altogether? I dug some through the source but I'm not getting very enlightened. It appears that some validate() method is called, but I'm basically quite in the dark. This kind of issue would likely be important to many product developers that want to use DTML in this way; we don't want products to leave such security holes. Regards, Martijn