[Zope-dev] DTML and REQUEST data changes about to be checked in

Jeffrey P Shell jeffrey@cuemedia.com
Fri, 09 Aug 2002 13:02:48 -0600


On 8/9/02 8:43 AM, "Toby Dickenson" <tdickenson@geminidataloggers.com>
wrote:

> I agree it is true in most cases, but not all. Have you analysed how many
> applications will be broken by this? how they can detect the breakage? I
> certainly will not have time to assess the implications on my applications
> before the scheduled release of 2.6.

This is why I raised the flag of "can there be a way to disable it?", and
Martijn put a fix in:

 - <dtml-var name> and &dtml.-name; will now automatically HTML-quote
    unsafe data taken implictly from the REQUEST object. Data taken
    explicitly from the REQUEST object is not affected, as well as any
    other data not originating from REQUEST. This can be disabled (at
    your own risk!) by setting the environment variable
    ZOPE_DTML_REQUEST_AUTOQUOTE to one of 'no', '0', or 'disabled'.

I have the same concerns you do, but I figure that if any problems are found
during normal execution of any Zope release this is attached to that I don't
have time to investigate a fix for myself, I can add this environment
variable (which normally I am not fond of doing), restart, and make a note
"investigate fixing site blablabla".  Is there any reason why this solution
wouldn't work for you?
 
> Like I said before, this is probably a good feature. If it was available as a
> patch then I would probably use it on a number of my sites, and would
> recommend it to others. I would be very happy see it (or something like it)
> in 2.7.
> 
> But not 2.6.

Oh, 2.6 will never happen anyways ;)  (seriously folks - what's the plan?).

Since there's no current release plan for 2.6, it's hard to plan future
deployments around it anyways.  But if you have any sites you plan to move
to 2.6, you should test this Autoquote change aggressively during the
alpha/beta cycle.  Since the ZOPE_DTML_REQUEST_AUTOQUOTE change has been put
in, I've reserved future judgments until I get a chance to actually do some
testing.  I know that if I do run into any issues in the future that I don't
have time to deal with, I can just flip that switch off.

-- 
Jeffrey P Shell 
www.cuemedia.com