[ZPT] Re: "structure" and TAL interpretation
Casey Duncan
casey at zope.com
Fri Jul 23 14:39:34 EDT 2004
On Fri, 23 Jul 2004 10:49:13 -0400
Fred Drake <fdrake at gmail.com> wrote:
> When using tal:content="structure some/path" or tal:replace="structure
>
> some/path", the TAL interpreter takes the result of some/path and
> parses it, evaluating any TAL attributes included in the structure,
> before inserting the result in the output.
>
> This is a huge performance hit.
>
> Is anybody relying on the current behavior? Is it being found useful?
>
> We're considering adding a new insertion mode, possibly called
> "unquoted", that skips the parsing and evaluation of the result of the
> expression. This would likely first appear in XopeX3 3.1.0, and won't
> be implemented until after ZopeX3 3.0.0 is finished.
This does not appear to be the case in Zope 2 page templates. If this is
true in Zope 3 then it is a security hole because it would allow content
authors, who would only normally only be allowed to create static page
structure to create scripts that run on the server side.
IMO this is bad and should be considered a bug.
-Casey
More information about the ZPT
mailing list