[Zope-dev] Stripogram or similar in core
Florent Guillaume
fg@nuxeo.com
28 Oct 2001 21:36:53 GMT
> Just discussing this with some colleagues today and we got onto a
> marshalling data and it occured to us it would be nice to do something like
> <input type="text" name="something:html:p:br"> that would only allow p and
> br in the html. Ok, its easy to get around with a fake form, but how about
> being able to only specify certain html tags in metadata in the CMF.
You seem to be aware of the fact, but I'd like to point it out
explicitely: from a security point of view, this is completely useless.
As HTML stripping is often done for security reasons, I fail to see the
interest in such a feature.
(BTW the :required field is also completely useless for security, and
because it's misleading for beginners I even think it's downright
harmful).
-- Florent
--
Florent Guillaume, Nuxeo SARL (Paris, France)
+33 1 40 33 79 10 http://nuxeo.com mailto:fg@nuxeo.com