On Friday 06 February 2004 03:47 pm, Kevin Carlson wrote:
Thanks for the replies everyone. I was a little worried about the possibility of some malicious code being passed to the dtml but since the parameter in question is coming from an external database, it wasn't a huge possibility. Nonetheless, it was still a possibility so I did what was suggested below and created a python script to convert the text representation of the list to a list of integers, which is what is needed.
I hacked a version of Toby Dickensen's "MiniPickle" to create a MiniPickle.py module in my Narya product, see: http://cvs.sourceforge.net/viewcvs.py/narya-project/Narya1/Narya/Utility/Min... mini_dumps This pickles data that you pass to it and converts it to hexcode (which is just 0-9A-F and therefore safe for any string use, such as embedding in Cookies or HTML forms). The reverse operation mini_loads will then restore the data from the string. The trick is, it won't do it unless the data is a BUILT-IN PYTHON OBJECT, no functions, code objects, classes or class instances allowed -- only static data. This should eliminate the hazard of encountering a "trojan" object submitted by an untrusted client. I use this in product code, but it can be used in an external method (as the original mini-pickle implementation did). The main extension in my module is the use of hexcode for storage (uncoded Python pickle format will break HTTP cookies, as I found out the hard way). This should generally be able to do the non-perilous things you could do with 'eval', without much more effort. I've found it quite useful for storing dictionaries, for example. Note that if you REALLY need to store a class instance, you can provide a means to pack extract the data, mini-pickle and store *that*, then provide a wrapper to extend the data with the class on load. This is basically the "pluggable brain" concept, although I've found it easier to implement this myself than to try to use the Zope pluggable brain mechanism (which is designed for through-the-web development). Cheers, Terry -- Terry Hancock ( hancock at anansispaceworks.com ) Anansi Spaceworks http://www.anansispaceworks.com