On 4/6/11 7:43 PM, Roger wrote: [..] > I think to protect the form is just a part of a concept. > Another part must be to prevent to inject JavaScript in > user generated content. If an application allows to post > JS in a blog post or comment etc. it should be possible to > use easydmx to read and re-use the secure form token. > (not approved but should work)
For that reason both CMF as well as Plone "clean" user input by stripping nasty tags and such - at least per default. Raphael > > One of my bigger concern is also that such a token will > break a lot of our tests which whould force us to use > custom non security token generating form classes. > > I'm fine in general for implement such a concept > in z3c.form but it should be optional. > Why not offer additional form classes or a mixin > for support such token? > > Regards > Roger Ineichen > >> Laurence >> > > _______________________________________________ > Zope-Dev maillist - Zope-Dev@zope.org > https://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope ) > _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )