On 2 March 2011 03:28, Shane Hathaway <sh...@hathawaymix.org> wrote:
> I hope this isn't a XSS hole.  I can't think of a way to add a <script> tag
> to a page using this method, but maybe someone else can.

Right. I can't think of one at this moment, since '<' and '>' are the
only characters that can make such happen.

> Can we expect a 1.3.x release that fixes this, or is 2.0 the only way
> forward?

Sure. There will be maintenance releases on 1.3.

> I'm seeing some regressions in 2.0, like the fact that "|" in
> expressions doesn't seem to be supported anymore.  (I need to replace those
> anyway, so I'm not complaining--they are greedy exception handlers.)

This could be changed, but it's true that in 2.x (and I realize now
that I haven't written that down anywhere), the pipe character is not
in play with Python-expressions. However, it is implemented and
working for "path:" in ``z3c.pt``, e.g.:

  "path: some/broken | python: 5 + broken | python: 5"

This is the "correct" behavior. The Python expression itself does not
know of the pipe operator.

Do we need the other behavior back? Or is this new behavior ultimately better?

Repoze-dev mailing list

Reply via email to