[ZPT] Re: [Zope] prevent quoting in tal:attributes

Evan Simpson evan at 4-am.com
Thu Oct 2 15:48:23 EDT 2003


Jamie Heilman wrote:
> ...and therein lies the rub.  Uncertainty in the face of security is
> reason enough to unconditionally quote attribute values in my mind.
> At any rate, I hope the following example will sufficiently illustrate
> why Evan's latest changes are unacceptable.

Yes, there's a problem here.  Compare the old behavior with the new in 
the following case, however:

<form method="GET">
<input name="units" value="&euro;"
        title="default is &euro;"
        tal:attributes="value request/units | default" />
<input type="submit" value="Convert to &euro;"
        tal:define="units request/units | string:"
        tal:attributes="value python:test(units, 'Convert to '+units, 
default)" />
</form>

Under the old system, macro expansion and execution will both mangle the 
'value' attributes, but not 'title', since it isn't dynamic.

I *really* hate the idea of having to come up with some kind of tainting 
scheme to fix this.

Cheers,

Evan @ 4-am





More information about the ZPT mailing list