Yuen Ho Wong <wyue...@gmail.com> added the comment:

I think you are mixing 3 problems into 1. I think AuthTktCookiePlugin should be 
simply a plugin 
that parses, sets and deletes auth_tkt cookies. Security, which I assume you 
are talking about 
XSS, is not a responsibility of this plugin, the application is suppose to take 
care of that. If your 
application allows <script>sendHackerMyCredentials();</script> to be a user 
name, then let 
whatever deity you subscribe to to help you. Since only byte string is allowed 
to be in a cookie, 
you have 2 options. 1) just allow whatever login is to go thru, 2) if you wanna 
make the type of 
the input explicit, assert isinstance(login, str)

Repoze Bugs <b...@bugs.repoze.org>
Repoze-dev mailing list

Reply via email to