Just do REQUEST.form.get('foo') instead of REQUEST['foo'] or REQUEST.get('foo') to avoid the string tainting magic. I don't agree that the REQUEST.get magic is a "hallmark of horrible design". I know I wouldn't want to go back to the days of Perl CGI, worrying whether something was in the query string or was form elements or in a cookie, in the environment, or wherever else. 99.9% of the time, I don't care. The .1 percent of the time that I do I can ask for it explicitly from the namespace I want. - C On Wed, 2003-04-16 at 15:53, Jamie Heilman wrote:
Josef Meile wrote:
One possible solution could be to convert all the "<" symbols to "<". But I was wondering if there is another way of dealing with this TaintedStrings (appart of disabling the check, off course).
Make sure the variable in question gets explicitly pulled from the correct dictionary in the REQUEST object. Personally I think REQUEST.get is a hallmark of horrible design anyway. Has anyone written a HTTPRequest replacement that gets rid of "get magic" entirely? I'm sure it would break a billion things, but I'd be interested in playing with it regardless.
-- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )