This indeed is a problem.
Isn't this an issue because all of these quasi-private methods have a
document string and are hence callable via an http request? If we were
to remove the doc string from manage_form_title (ie via rewriting this
as a python method which delegates to the underlying DTM
On Fri, 16 Jan 2004, Alan Milligan wrote:
>
> Tres Seaver wrote:
> > That change is one of a number which are designed to prevent
> > cross-site scripting attacks; DTML is particularly vulnerable to such
> > cracks, as it doesn't force the template writer to choose the source
> > from which t
Tres Seaver wrote:
Alan Milligan wrote:
In addition to this problem, someone has changed
manage_form_title.dtml and caused me grief!
The tag has been changed to <&dtml-title;>
This causes an implicit html-quote to now be performed which means
that my tag, inserted to display the product's i
Alan Milligan wrote:
In addition to this problem, someone has changed manage_form_title.dtml
and caused me grief!
The tag has been changed to <&dtml-title;>
This causes an implicit html-quote to now be performed which means that
my tag, inserted to display the product's icon to more strongly
