[ZPT] Path interpolation

Fri, 02 Aug 2002 10:17:18 -0500

jeffrey wrote:
> For this particular case, how does this differ from using:
> 
>   tal:attributes="src string:./images/foo_${request/foonum}" ?

There is the slight difference that the template itself is doing the 
traversal in the "path:" case, rather than the publishing machinery.  If 
ZPTs had Proxy roles, there would be an obvious problem case.  As is it, 
I'm not entirely sure that there is a real security risk, but I'd like 
to play it safe.

> Likewise, doing path interpolation in a
> Python expression could yield the same results:
> 
>    tal:attributes="src python:path('here/images/foo_%s' % request.foonum)"

A Python expression can do all sorts of potentially unsafe things, this 
among them.  The point isn't to disallow this, but to provide an easy 
way of playing it safe.

> It's not exactly Undocumented.  Shane's made comments in both the Zope Book
> area and the old Wiki containing the specs.  :)

True :-)  Underdocumented, then.

Cheers,

Evan @ 4-am