[Zope] Re: eval in DTML
Kevin Carlson
khcarlso at bellsouth.net
Fri Feb 6 16:47:20 EST 2004
Thanks for the replies everyone. I was a little worried about the
possibility of some malicious code being passed to the dtml but since
the parameter in question is coming from an external database, it wasn't
a huge possibility. Nonetheless, it was still a possibility so I did
what was suggested below and created a python script to convert the text
representation of the list to a list of integers, which is what is needed.
I appreciate the quick replies!
Josef Meile wrote:
>>You can't use 'eval' in either a DTML method or a python script. You have
>>to create an external method to use 'eval'.
>>
>>
>It's a bad idea. When I was a newie, I also figured out the same solution,
>but
>somebody said:
>
>"What if instead of a list, some bad user pass: rm -Rf?"
>
>So, it seems an useful command, but in fact it is dangerous.
>
>My suggestion for the thread author: if you can't send a list as somebody
>said,
>then remove the first and last square braces and do a split. Off couse this
>will only work if your list is very simple; on the contrary, if you use
>lists of lists,
>you will have to do some kind of recursive function.
>
>Regards,
>Josef
>
>_______________________________________________
>Zope maillist - Zope at zope.org
>http://mail.zope.org/mailman/listinfo/zope
>** No cross posts or HTML encoding! **
>(Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>
>
>
More information about the Zope
mailing list