[ZPT] RE:Re: [Zope] prevent quoting in tal:attributes
Jamie Heilman
jamie at audible.transient.net
Thu Oct 2 06:33:44 EDT 2003
fergal at esatclear.ie wrote:
> I agree that it is dangerous. Would you also argue that
> tal:replace="structure blah" should not be there either?
No, again, I speak only of attribute values.
> The example you gave demonstrates exactly what's wrong with it but
> if the string has been generated by the application and the author
> really wants to put an entity in the output then I'm not convinced
> we should stop them? Using TAL for document processing (as opposed
> to interactive web stuff) is a perfect example of where this is a
> genuine requirement and doesn't pose a security risk,
You can call it risk, or you can call it flat-out data corruption, or
you can call it perfectly acceptable behavior. Whatever you call it,
is, as you've identified, dependant upon the application. But now
consider that Page Templates only recognise two modes of application,
XML and HTML, and neither of these require the requested feature.
Sure, you *can* build other document formats with page templates, but
that doesn't mean you *should*, or that the *syntax* should be
extended to make it easy to fudge it. I'll envoke (once again) a
tenet of the UNIX philosophy, "do one thing, and do it well." I can
appreciate that Dieter's SGML application is tantalizingly close to
being realizable with stock Page Templates, but by compromising the
treatment of attribute values for one application you do it for all of
them. Does it have to be that way? Probably not. The media type is
already a behavior modifier, I don't see any reason why one couldn't
add their own proprietary extension to the known media types then tie
new behaviors to it and to it alone. (Don't construe this as my
suggestion of how to futher bloat the main code-base though, I think
the changes should be reverted and the entire thing dropped.)
--
Jamie Heilman http://audible.transient.net/~jamie/
More information about the ZPT
mailing list