I looked at ZopeCVS's PythonScripts. I mostly like it -- with the following exceptions: * Namespace binding It does not yet work, apparently: In DTML, I have: <dtml-call "REQUEST.set('a','a')"> <dtml-var pyscript> in PythonScript "pyscript": return _['a'] and I get: "KeyError: a" * Try it It is very nice, that such a "try it" exists! However, as I am in Python, I would like to use Python expressions as argument values. Currently, the values are treated as strings. Default argument values are displayed as part of the argument name. If the values in the "try it" tab were Python expressions, the default values should be used to preset the value fields. * Preventing creation of large sequences Apparently, you try hard to prevent the creation of large sequences. For a malicious user, it is however quite easy to counter you measures: either with a "while" loop or with a nested sequence repetition. To make it safe, you would probably need to limit the total complexity of all objects (together) that are created in the script (or other scripts called by this one). Alternatively, you could document that various security issues remain, if PythonScripts are made editable through the web. * Import control I know that I can control what modules (and names) can be imported in PythonScripts by providing an __access_to_unprotected_subobjects__ definition *in the* module. However, this is a global control affecting all PythonScripts in an installation. I see the demand for more localized control, e.g. that a script not editable through the web should import modules that are not safe for use by anonymous users. Dieter