Jamie Heilman wrote: > I have a feeling its atributable to either > raise_standardErrorMessage's "smart" tag searching, or some other > auto-magical aspect of the error handling framework.
I finally got around to testing this hypothesis, and it seems to be true. raise_standardErrorMessage assumes anything stringish matching [a-zA-Z]> is markup and subsequently sets error_message, which normally isn't quoted. The problem is, while it may very well be markup there's no reason to trust it, as was shown with the case when int() is passed '<b>old', the error message may contain markup obtained from an untrusted source. So the question is, how much pain would it cause if there was mandate that error messages could not contain markup, and the behavior was changed so that error_message was always quoted, but assumed to be pre-formatted plain text? -- Jamie Heilman http://audible.transient.net/~jamie/ "Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution." -Sathington Willoughby _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )