[ZPT] Path interpolation
Shane Hathaway
shane@zope.com
Fri, 02 Aug 2002 15:28:55 -0400
Evan Simpson wrote:
> Shane Hathaway wrote:
>
>> Steve A. has talked about this before, and I still don't see why this
>> can be considered a security hole. HTTP URLs passed to Zope "cause
>> traversal to an arbitrary object". So traversal is already a highly
>> protected operation. Why do page templates have to be further limited?
>
> I probably should have put my conclusion at the top of my post, rather
> than my complete reasoning :-)
Ok. The word "interpolation" is a little confusing here--maybe we
should call it string substitution. :-)
> I recommend making '$' work the way everyone expects (simple string
> interpolation) and slightly expanding the usability of '?'. Thus:
>
> <tal:demo define="x string:a/b; a python:{'b': 1, 'a/b': 2, '2': 3}"
> replace="string:$x, ${$x}, ${a/?x}, ${a/?{$x}}" />
>
> ..becomes "a/b, 1, 2, 3". Wacky, no?
Wacky indeed. I can imagine that the designers of "bash" had
discussions much like this many years ago. :-) Can we say that a
question mark is only valid when it's located immediately after a slash
character?
Shane