Barry Warsaw writes: > Would you make $list.css editable by the list admin, a la > listinfo.html? Does doing so open any additional security > vulnerabilities?
Yes to editable, I don't know to security vulnerabilities. View the CSS Zen Garden (better yet, get the book), and know fear. What those people manage to do without ever changing a tag is amazing! Since CSS is intended to be purely presentational, the two threats I can see are hiding evil that they sneak in some other way, and "social engineering" via misdirection. Eg, I can image some mischief where you swap the labels of the "Cancel" and "Submit" buttons via CSS. > > with CSS, not Python code. Note that with a little care, the same > > module that does the t-t-w CSS generation could probably accept an > > mm_cfg.py and (a) use the variables defined in mm_cfg.py to generate > > site.css and (b) remove them (warning loudly that setting them in the > > future will have no effect). > > I don't like being able to upload mm_cfg.py ttw, even if it's just to > suck a few ui variables out of it. If we're going to allow ttw > updating to the css, let's just do that directly instead of going > through Python code. Sorry, my wording was *very* imprecise. What I had in mind was that the ttw CSS generating <FORM> in HTML will give you KEY=VALUE pairs, which is what mm_cfg.py is. So the logic for generating CSS would be the same. The UIs would be completely separate. ttw would go via one or more HTML forms. The "import mm_cfg" inteface would only be available via the shell, that would not be available ttw. _______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
