[Zope-CMF] Preventing HTML in Structured Text in Plone/CMF

Tres Seaver tseaver@zope.com
07 Jul 2003 07:50:29 -0400 

On Fri, 2003-07-04 at 16:13, Dieter Maurer wrote:
> Steven Hayles wrote at 2003-7-3 17:07 +0100:
>  > I'd like to block the embedding of HTML in Structured Text in Plone. I can
>  > see that I could modify CMFDefault.Document.Document._edit, replacing
>  > 
>  >   self.cooked_text = format_stx(text=text, level=level) 
>  >             
>  > with
>  > 
>  >   self.cooked_text = format_stx(text=html_quote(text), level=level)  
>  > 
>  > However, a monkey patch seems better. Shouldn't I be able to use the
>  > following in an __init.py__ file in a new product?
>  > 
>  >   from Products.CMFCore import utils
>  >   from DocumentTemplate.DT_Util import html_quote
>  > 
>  >   original_format_stx = utils.format_stx
>  > 
>  >   def new_format_stx(text, level):
>  >     """"format_stx replacement"""
>  >     return original_format_stx(text=html_quote(text), level=level)
>  > 
>  >   utils.format_stx = new_format_stx
>  > 
>  > Can anyone explain to me slowly and clearly why this approach doesn't work?
> 
> "Document" probably does "from "Products.CMFCore.utils import "format_stx".
> 
> If this is right, then whether your monkey patch becomes effective
> depends on the relative import time of "Document" and your product.
> When your product comes first, your patch wins; otherwise, it is not
> effective.
> 
> As you can see: patching modules functions is unsafe...

Right;  the only way to make it more safe is to restructure the
"patchee" module to export a hook function, e.g.:

  def _default_hook_implementation( foo, *args, **kw ):
      pass

  _HOOK_IMPLEMENTION = _default_hook_implementation

  def setHookImplementation( impl ):
      global _HOOK_IMPLEMENTATION
      _HOOK_IMPLEMENTATION = impl

  def hooked( foo, *args, **kw ):
      return _HOOK_IMPLEMENTATION( foo, *args, **kw )

In this model, clients must import and call hooked, rather
than using _HOOK_IMPLEMENTATION directly.

In general, you would be better off imposing your policy changes via the
skin methods, such as 'document_edit', 'newsitem_edit', etc.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com