[ZPT] RE:Re: [Zope] prevent quoting in tal:attributes
fergal at esatclear.ie
fergal at esatclear.ie
Thu Oct 2 05:23:56 EDT 2003
I agree that it is dangerous. Would you also argue that tal:replace="structure blah" should not be there either? Ideally it wouldn't I suppose but there are some times when it's needed. Similarly, there is a use for unescape entities but it needs to have flashing red danger signs in the docs and it needs to be switched off by default.
The example you gave demonstrates exactly what's wrong with it but if the string has been generated by the application and the author really wants to put an entity in the output then I'm not convinced we should stop them? Using TAL for document processing (as opposed to interactive web stuff) is a perfect example of where this is a genuine requirement and doesn't pose a security risk,
F
Original Message:
-----------------
From: jamie at audible.transient.net
fergal at esatclear.ie wrote:
> I'm not saying there should be only one way of handling strings.
For the record, I am. Adding a mode whereby substrings that appear to
be well-formed entities are allowed to forgo the usual quoting in the
context of an attribute value, is too dangerous and should not be
present in the Zope framework whatsoever.
--------------------------------------------------------------------
mail2web.com™ - Check your email from the web at http://mail2web.com.
More information about the ZPT
mailing list