Hi, Andre. Thanks for your feedback. I will definately port this to the 2.1 branch and submit a new patch.
> - one should recognize ; as delimiter as well (ok, trivial) Easy enough. > - to circumvent the security flaw, I'd suggest to extend the #set > handler > instead, for example: > <!--#set var="foo" query="param_name" -->, which would be really > safe. > I'm not sure, whether the query parameter should be expanded. > Opinions? Another idea I thought of was to put the query string vars in a seperate table, and have a special prefix for accessing that table, (something like @var instead of $var.) That would prevent overwriting important stuff in subprocess_env. I also like your idea, though it is a bit more cumbersome for the person writing the SSI. > - The second one could be solved with things like > <!#--set var="foo" query="param_name[i]" -->, where i starts with 0 or > 1 (?). It should start with zero of course. :P
