[Zope] REQUEST.form variables order

Tino Wildenhain tino at wildenhain.de
Thu Apr 20 11:16:26 EDT 2006


Gaute Amundsen schrieb:
> On Thursday 20 April 2006 13:23, Andrew Milton wrote:
> 
>>+-------[ Gaute Amundsen ]----------------------
>>
>>| On Thursday 20 April 2006 12:15, Andrew Milton wrote:
>>| > +-------[ Gaute Amundsen ]----------------------
> 
> <snip>
> 
>>| But, why render the page, when I could just parse it to get the field
>>| order? Fun with regexp, or dom :)
>>
>>Because you can just throw it at the ZPT or DTML engines, convert to text
>>and as a side-effect you get something ready to put into the email?
>>
>>If you want to write your own parser, feel free.
> 
> 
> I should have suspected :)
> 
> Any hints to get me statred on the zpt version?

No, you would not do this in ZPT. ZPT is the templating
engine. You write your logic in python. External Method
for example if you dont want to write a complete product.

import re

fe=re.compile(r"<input.*?name=\"(.*?)\".*?>",re.DOTALL|re.MULTILINE|re.IGNORECASE)

def formparser(self):
     src=self.document_src()
     if self.has_Property('formelements'):
         self.manage_changeProperties(formelements=fe.findall(src))
     else:
         self.manage_addProperty('formelements',
                                  fe.findall(src),
                                  "lines")



put this in an external method and call it after the user updated
the HTML of her formular on the object (ZPT, DTML) which holds
that HTML. When you get the form request, just use something like:

[dict(element=e,value=request.form.get(e) for e in 
context.formdocument.getProperty('formelements') if request.form.has_key(e)]

which gives you the form elements in a nice list with their
respective values. Advantage: this makes it impossible
for an attacker to just supply more/other form fields
then originally were in the form.

Regards
Tino Wildenhain


More information about the Zope mailing list