On 03/01/2011 07:28 PM, Shane Hathaway wrote:
On 03/01/2011 06:48 AM, Malthe Borch wrote:
On 1 March 2011 14:19, Chris Withers<ch...@simplistix.co.uk> wrote:
So, it's quoting the tags but not the entities. Bug, no?
Yes, it certainly seems so.
I hope this isn't a XSS hole. I can't think of a way to add a<script>
tag to a page using this method, but maybe someone else can.
Can we expect a 1.3.x release that fixes this, or is 2.0 the only way
forward? I'm seeing some regressions in 2.0, like the fact that "|" in
expressions doesn't seem to be supported anymore. (I need to replace
those anyway, so I'm not complaining--they are greedy exception handlers.)
Also, a quirky behavior of the reference TAL implementation is if you
use unknown attribute names in the "tal" namespace, those attributes get
stripped from the output. It's a useful feature; it allows me to write
comments about a tag. I always spell the comment attributes as
"tal:comment". Chameleon 2.0-rc2 raises an exception on my
"tal:comment" attributes, while 1.3 ignored them. Can we have
tal:comment or the original behavior back?
Repoze-dev mailing list