On 2 March 2011 03:28, Shane Hathaway <sh...@hathawaymix.org> wrote: > I hope this isn't a XSS hole. I can't think of a way to add a <script> tag > to a page using this method, but maybe someone else can.
Right. I can't think of one at this moment, since '<' and '>' are the only characters that can make such happen. > Can we expect a 1.3.x release that fixes this, or is 2.0 the only way > forward? Sure. There will be maintenance releases on 1.3. > I'm seeing some regressions in 2.0, like the fact that "|" in > expressions doesn't seem to be supported anymore. (I need to replace those > anyway, so I'm not complaining--they are greedy exception handlers.) This could be changed, but it's true that in 2.x (and I realize now that I haven't written that down anywhere), the pipe character is not in play with Python-expressions. However, it is implemented and working for "path:" in ``z3c.pt``, e.g.: "path: some/broken | python: 5 + broken | python: 5" This is the "correct" behavior. The Python expression itself does not know of the pipe operator. Do we need the other behavior back? Or is this new behavior ultimately better? \malthe _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev