On Thursday 08 Aug 2002 9:29 pm, Martijn Pieters wrote: > On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote: > > > I am about to land some big changes in the way DTML deals with data > > > taken from the REQUEST object when accessed implicitly, in both the > > > Zope Trunk and the Zope 2.5 branch. > > > > In my opinion this change is completely unacceptable at this late stage > > of > > > > the release cycle. As you said: > > > These changes could potentially break existing Zope sites. > > > > The existing behavior might be flawed, but it is a flaw we have all lived > > with for a long time. In my opinion this needs: > > > > 1. To be deferred until the 2.7 cycle. > > > > 2. A detailed fishbowl proposal. > > Note that the problems fixed are potential security problems. Although we > cannot fix every site out there for sure, the fixes certainly dramatically > reduce the risks.
Im not going to argue that this feature is bad - because I dont believe that to be true. I suspect the feature is not exactly quite right - but those issues can easily be resolved over a full release cycle. > The risk for breakage is very small really Your choice of '<' and html_quote suggests that my dtml code which generates javascript and vbscript carries a higher risk than dtml which generates html. >, and breakage > will generally only occur when someone is trying to exploit the weakness, > not in normal operation of the site. The fact that your change uses html_quote to 'fix' the problem rather than sounding 'hacker alert' alarm bells suggests to me that you dont really believe that ;-) > I'll leave any decisions on wether or not this stays in the current release > cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation > until next week. _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
