[Zope-dev] DTML Syntax contd. + rant + summary
Christopher Petrilli
petrilli@digicool.com
Thu, 11 Nov 1999 19:57:03 -0500
On 11/11/99 5:35 PM, Stuart 'Zen' Bishop at zen@cs.rmit.edu.au wrote:
>
> Magic sequence- variables need to have aliases of sequence_ (everyone
> rabidly agrees on this) Strangely enough no one has owned up to
> actually implementing the '-' variables, most likely as they are
> afraid of being lynched.
I looked at this today, it's not going into 2.1 most likely, it's a LOT of
work to make sure it works, *and* doesn't have any negative performance
impact. Since it will by its nature, I'll need to balance that with a
performance enhancement somewhere :-)
> Program code should not be embedded in the Reporting language.
Amen.
> DTML sucks when used beyond its intended scope as a Reporting language.
> The ability to program in DTML should be discouraged or possibly
> depricated.
Discouraged, but that's all we can really do in reality.
> DTML is constantly being used beyond its intended scope, as there
> is no way to program Zope without resorting to External methods or
> Python Products with their various caveats. In particular, there
> is no way of running program code in a sandbox without using DTML
> which means all Zope programmers need to be given effective full
> control over the Zope installation.
This is why we're a bit skeptical of new tags which encourage this...
> PythonMethods is available now and could fill the void if it is
> integrated with the Zope distribution. Work will need to be
> done proving that Python Methods opens no security concerns not
> already valid with DTML.
This is being done, I think... it *will* introduce new security concerns,
but we hope to quantify and mitigate them wherever possible. More power
always comes with more danger.
Chris
--
| Christopher Petrilli Python Powered Digital Creations, Inc.
| petrilli@digicool.com http://www.digicool.com