Remove/Ignore <P> and other HTML tags
I am a system administrator who maintains our Zope servers. I don't know that much about python or zope, just enough to upgrade and trouble shooting from time to time. Of course, the developers who have developed the system are no longer here. I try to move a site from Zope 2.7.4 (python 2.4) to a new server with Zope 2.9.4 (python 2.4.3), after some struggle, I have fixed most of the problems, but one that I don't have much clue. I hope that expert here can shed some light for me. Here are section of code that displays part the of some abstract <dtml-let rand1="get_random_image()" cap1="get_folder_title(name=rand1)" text="get_abstract_sample(name=rand1)"> <table cellpadding=0 cellspacing=0><tr> The function get_abstract_sample is here for object in container.research.objectValues(): a = object.getId() if (a == name): text = object.research_description_html.read() else: pass text = str(text) return text[0:400] + '...' The above code work fine for the 2.7.4 server, but fails for 2.9.4 server, it will ask for authentication password for 2.9.4, no user/password combination will work. If I modify it as follows (for 2.9.4 server) for object in container.research.objectValues(): a = object.getId() if (a == name): text = object.research_description_html text = str(text) return text[0:400] + '...' Getting rid of read() for the 2.9.4 server solve the authentication problem and display the web page but with some unpleasant <P> and other HTML tags literally (It doesn't for the old 2.7.4 server). I would love to hear suggestions and advices from this group to get rid of the literal <P> and other HTML tags. Thank you very much for your help. Thank you very much for your attention. Zhi-Wei Lu Institue for Data Analysis and Visualization (IDAV) UC Davis Phone: (530) 752-0494 Davis, CA 95616 Fax: (530) 752-8894
On Thu, Sep 14, 2006 at 03:52:30PM -0700, Zhi-Wei Lu wrote:
I am a system administrator who maintains our Zope servers. I don't know that much about python or zope, just enough to upgrade and trouble shooting from time to time. Of course, the developers who have developed the system are no longer here.
I try to move a site from Zope 2.7.4 (python 2.4) to a new server with Zope 2.9.4 (python 2.4.3), after some struggle, I have fixed most of the problems, but one that I don't have much clue. I hope that expert here can shed some light for me.
Here are section of code that displays part the of some abstract <dtml-let rand1="get_random_image()" cap1="get_folder_title(name=rand1)" text="get_abstract_sample(name=rand1)"> <table cellpadding=0 cellspacing=0><tr>
The function get_abstract_sample is here
for object in container.research.objectValues(): a = object.getId() if (a == name): text = object.research_description_html.read() else: pass
Unless you omitted something, that's a really long and slow way to do this: text = container.research[name].read() Don't iterate over all items when you only care about one of them and know what it's called :) But that's not your problem...
The above code work fine for the 2.7.4 server, but fails for 2.9.4 server, it will ask for authentication password for 2.9.4, no user/password combination will work. If I modify it as follows (for 2.9.4 server)
for object in container.research.objectValues(): a = object.getId() if (a == name): text = object.research_description_html
text = str(text)
return text[0:400] + '...'
Getting rid of read() for the 2.9.4 server solve the authentication problem and
We don't know what kind of objects you have. But this sounds like the code for "object" is lacking some security declarations, and zope 2.7 was too permissive.
display the web page but with some unpleasant <P> and other HTML tags literally (It doesn't for the old 2.7.4 server).
I would love to hear suggestions and advices from this group to get rid of the literal <P> and other HTML tags. Thank you very much for your help.
Hmm, you never showed us where this text actually gets put into the page. In the example you gave, it gets assigned in a <dtml-let> tag, and that's the last we saw of it. Perhaps you have something like <dtml-var text html_quote="1">? If so, remove the html_quote attribute. See http://www.plope.com/Books/2_7Edition/AppendixA.stx#1-20 -- Paul Winkler http://www.slinkp.com
Zhi-Wei Lu wrote:
for object in container.research.objectValues(): a = object.getId() if (a == name): text = object.research_description_html.read() else: pass
text = str(text)
return text[0:400] + '...'
ZhiWei, Just post a good fragment of your text[ 0 : 400 ] that pops your literal <p> and other non-translated html stuff and likely someone will solve it quick. I'm thinking an analogie to ZPT's structure keyword .... Paul is right - the permission scheme did change. I know it annoyed the hell out of me :-) But not sure if thats your issue David
Zhi-Wei Lu wrote at 2006-9-14 15:52 -0700:
... The above code work fine for the 2.7.4 server, but fails for 2.9.4 server, it will ask for authentication password for 2.9.4, no user/password combination will work.
This means that you see a security problem. You analyse security problems by means of "verbose-security". Look into your Zope configuration file (by default "etc/zope.conf"). Search "verbose-security" and follow the advice in the corresponding comment. -- Dieter
participants (4)
-
David H -
Dieter Maurer -
Paul Winkler -
Zhi-Wei Lu