Alan Milligan wrote:
In addition to this problem, someone has changed manage_form_title.dtml
and caused me grief!
The dtml-var title tag has been changed to dtml-title;
This causes an implicit html-quote to now be performed which means that
my img tag, inserted to display the product's icon to
Tres Seaver wrote:
Alan Milligan wrote:
In addition to this problem, someone has changed
manage_form_title.dtml and caused me grief!
The dtml-var title tag has been changed to dtml-title;
This causes an implicit html-quote to now be performed which means
that my img tag, inserted to display
On Fri, 16 Jan 2004, Alan Milligan wrote:
Tres Seaver wrote:
That change is one of a number which are designed to prevent
cross-site scripting attacks; DTML is particularly vulnerable to such
cracks, as it doesn't force the template writer to choose the source
from which the name
This indeed is a problem.
Isn't this an issue because all of these quasi-private methods have a
document string and are hence callable via an http request? If we were
to remove the doc string from manage_form_title (ie via rewriting this
as a python method which delegates to the underlying
