Yuen Ho Wong <wyue...@gmail.com> added the comment: I think you are mixing 3 problems into 1. I think AuthTktCookiePlugin should be simply a plugin that parses, sets and deletes auth_tkt cookies. Security, which I assume you are talking about XSS, is not a responsibility of this plugin, the application is suppose to take care of that. If your application allows <script>sendHackerMyCredentials();</script> to be a user name, then let whatever deity you subscribe to to help you. Since only byte string is allowed to be in a cookie, you have 2 options. 1) just allow whatever login is to go thru, 2) if you wanna make the type of the input explicit, assert isinstance(login, str)
__________________________________ Repoze Bugs <b...@bugs.repoze.org> <http://bugs.repoze.org/issue101> __________________________________ _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev