[Zope-dev] DTML and REQUEST data changes about to be checked in
Andy McKay
andy@agmweb.ca
Fri, 2 Aug 2002 08:55:13 -0700
Likewise Im trying to digest all that and Im a little suprised. More magic
in DTML? Not something I'd vote for normally.
Im a little confused why this is suddenly an issue, yeah so we pull a string
out of the REQUEST and thanks to DTML stack we may not know where it came
from. Well thats always been there. And yeah the string may contain nasty
HTML. Again that's always been there.
In the past (and I cant find posts to show it) the party line was Zope is an
application server and its up to the person developing the application to
worry about it. Thats why ChrisW wrote stripogram and I use it in quite a
few apps.
One other question? Why does it matter that the string is implicitly called,
why dont you taint explicitly called to? It makes me think of Perl where
taint mode taints anything coming from the user?
This still doesnt solve the party line and means I would like to suggest
again (and this time I have the time to work on it) that we add something
like stripogram or similar to the core, so that is easy for an application
developer to have access to strip html and other functions from products,
DTML, Python Scripts etc to easily alter, manage and make HTML safer.
--
Andy McKay
@gmweb Consulting
http://www.agmweb.ca