Hello all, I've been looking at the way CSRF protection is done in Plone (plone.protect, using a @protect decorator), and also at the XSS protection added to Zope (@postonly decorator) and was wondering if something more generic could possibly be done for zope.formlib-based forms, instead of requiring the use of a decorator.
A quick look though the code, makes seem like an Action could be added to the Actions object such that the validator would do one (or both) of those checks, and something similar to the render_submit_button() which is registered as a @namedtemplate.implementation() would then be used to render the hidden form field holding the CSRF token for that specific action. Does that sound like a reasonable implementation, or is it abusing the framework? -- Sidnei da Silva _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
