[Zope] Python access to dtml-let vars
Thomas B. Passin
tpassin@mitretek.org
Tue, 14 May 2002 11:27:41 -0400
[Charlie Reiman]
>
> I want to have a DTML method that has this in it:
>
> <dtml-let var1="'avalue'">
> <dtml-var myscript>
> </dtml-let>
>
> And a python script call myscript that does something like:
>
> print mysterious_voodoo.getitem('var1')
>
> The right text for mysterious_voodoo eludes me. How do I access dtml-let
set
> variables from a python script context? Is it possible?
>
> Passing the argument as a named keyword is something I want to avoid as
> there is a security issue with allowing users to type in URLs like
>
> http://blah/myscript?var1=evil_hacker_string
>
You can still use named keywords and positional parameters, just don't use
them right from the URL query string. Construct and test them yourself - as
you seem to be doing anyway - then you can use them safely.
Conversely, if var1 comes directly from the URL query string, it could do
damage no matter how you transfer it to a script.
Cheers,
Tom P