On 03/01/2011 07:28 PM, Shane Hathaway wrote:
On 03/01/2011 06:48 AM, Malthe Borch wrote:
On 1 March 2011 14:19, Chris Withers<ch...@simplistix.co.uk>   wrote:
So, it's quoting the tags but not the entities. Bug, no?

Yes, it certainly seems so.

I hope this isn't a XSS hole.  I can't think of a way to add a<script>
tag to a page using this method, but maybe someone else can.

Can we expect a 1.3.x release that fixes this, or is 2.0 the only way
forward?  I'm seeing some regressions in 2.0, like the fact that "|" in
expressions doesn't seem to be supported anymore.  (I need to replace
those anyway, so I'm not complaining--they are greedy exception handlers.)

Also, a quirky behavior of the reference TAL implementation is if you use unknown attribute names in the "tal" namespace, those attributes get stripped from the output. It's a useful feature; it allows me to write comments about a tag. I always spell the comment attributes as "tal:comment". Chameleon 2.0-rc2 raises an exception on my "tal:comment" attributes, while 1.3 ignored them. Can we have tal:comment or the original behavior back?

Repoze-dev mailing list

Reply via email to