Re: [Zope-dev] dtml-try with z-sql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/01/2013 04:27 AM, murat bilal wrote: > I have DTML-Method like below "deleteUser(USERNAME=USERNAME)"> > > An error occurred. Entry was NOT deleted. > > > deleteUser is Z-SQL method.USERNAME is the argument in Z-SQL method > also column name. When i click erase button it succesfully deletes > record.But if i enter an invalid username it did not throw any > exceptions. This issue is unrelated to DTML / ZSQLMethods. SQL statements like the following:: DELETE FROM some_table WHERE id = 123; don't cause exceptions to be raised for an unknown value like 123; they just affect no rows. If you need an error raised, you need to do something like create a stored procedure on the server which does that. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlEL7m8ACgkQ+gerLs4ltQ5uVgCfYRw7x3XAfwsdoFkJCNZm1U3H DKgAoLT358rI08s8GMwanffFV4jT4f8Y =StFb -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-try with z-sql
I'm not familiar with DTML. In my opinion: deleteUser(USERNAME=invalid USERNAME) Does not throw an exception, Should be judged through a function return value. 2013/2/1 Jian Aijun > I'm not familiar with DTML, > I would like to: > > deleteUser(USERNAME=invalid USERNAME) > > Does not throw an exception, > > Should be judged through a function return value. > > > 2013/2/1 murat bilal > >> Hi all, >> >> I have DTML-Method like below >> >> >> >> >> An error occurred. Entry was NOT deleted. >> >> >> deleteUser is Z-SQL method.USERNAME is the argument in Z-SQL method also >> column name. >> When i click erase button it succesfully deletes record.But if i enter an >> invalid username it did not throw any exceptions. >> >> Please help >> >> REgards >> >> ___ >> Zope-Dev maillist - Zope-Dev@zope.org >> https://mail.zope.org/mailman/listinfo/zope-dev >> ** No cross posts or HTML encoding! ** >> (Related lists - >> https://mail.zope.org/mailman/listinfo/zope-announce >> https://mail.zope.org/mailman/listinfo/zope ) >> >> > ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-try with z-sql
I'm not familiar with DTML, I would like to: deleteUser(USERNAME=invalid USERNAME) Does not throw an exception, Should be judged through a function return value. 2013/2/1 murat bilal > Hi all, > > I have DTML-Method like below > > > > > An error occurred. Entry was NOT deleted. > > > deleteUser is Z-SQL method.USERNAME is the argument in Z-SQL method also > column name. > When i click erase button it succesfully deletes record.But if i enter an > invalid username it did not throw any exceptions. > > Please help > > REgards > > ___ > Zope-Dev maillist - Zope-Dev@zope.org > https://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope ) > > ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-sendmail issue
Break the problem up. First thing to do is to check if sendmail is working from the file system. on unix mail m...@mydomain.com If that breaks, you know what to fix. If that works, double check your configurations on your mailhost object. And finally try just a 3 line sendmail file. I have used dtml-sendmail a lot over the years. As far as I know it has always worked fine. Trust it, but not the code you have written, and you should be able to get it fixed quickly. -- Regards Christopher Lozinski Check out my iPhone apps TextFaster and EmailFaster http://textfaster.com Expect a paradigm shift. http://MyHDL.org ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-sendmail issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/02/2011 11:35 AM, Babylakshmi Muthusamy wrote: > I tried to send mail through SMTP localhost using dtml-sendmail. It > was working fine for many days. Currently it is not sending mails. > Could you please provide me pointers to debug this issue? Does your code fail with an exception? If so, please provide the traceback (you should be able to get it from the 'error_log' object in your site). If not, then likely the problem is with the MTA you have running on your machine: maybe its configuration changed? Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4PQdcACgkQ+gerLs4ltQ40FACgsPjjFI/fRnUsvUnrhknXATT/ n8MAniNjRYyEmnKshz2z1Z0fQ6VyZIXL =+Spv -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML is dead, long live DTML ;-)
On Sun, Sep 5, 2010 at 1:28 PM, Tim Hoffman wrote: > So I was looking for zope eco system based non html/xml based templating > systems as a response to Martin > saying DTML is dead, as I am currently using DTML for these sorts of tasks. The Zope eco system for such tasks is the same as the wider Python eco system these days. There's absolutely no need to stick with a Zope-only approach anymore. string.Template, Jinja2 and Mako all seem to be well maintained templating solutions you could use. DTML is definitely dead as far as open-source software can die. Hanno ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML is dead, long live DTML ;-)
On Sun, Sep 05, 2010 at 11:13:05AM +0800, Tim Hoffman wrote: > Hi Florian > > I use a model based generation approach (from enterprise architect) however > even archgenxml has templates for large amounts of boiler plate under the > hood. > > Have you actually looked at the src of archgenxml, if you did you will > notices it uses dtml for templating the code output ;-) Once did, but wasn't aware of any dtml, come to think of it, there is some reason to it ;) -- Florian Friesdorf GPG FPR: EA5C F2B4 FBBB BA65 3DCD E8ED 82A1 6522 4A1F 4367 Jabber/XMPP: f...@chaoflow.net IRC: chaoflow on freenode,ircnet,blafasel,OFTC pgp9485K58h0p.pgp Description: PGP signature ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML is dead, long live DTML ;-)
Hi Laurence I think you missed my point. I was talking about generating code (sql as DDL for instance) not sql statements. I use Enterprise architect to model the application in UML for the data model, entity model, I generate generate storm schema and DDL for accessing the database from the model. And much of the model is originally reverse engineered from the RDBMS by EE. And usually the RDBMS is pre-existing, not a new thing. So the schema of the RDBMS is fixed. So I was looking for zope eco system based non html/xml based templating systems as a response to Martin saying DTML is dead, as I am currently using DTML for these sorts of tasks. T On Sun, Sep 5, 2010 at 6:47 PM, Laurence Rowe wrote: > On 5 September 2010 02:49, Tim Hoffman wrote: > >>> > >> > >> Please note that DTML is a dead (and horrid) technology. > >> Martin > > > > But zpt is horrible for doing non html/xml based things ;-), What do you > > think is good alternative in the zope eco system now > > for templating other types of things (sql, python ...) ? > > If you don't need conditions or looping, then string.Template from the > standard library is a reasonable choice. For templating SQL I would > use SQLAlchemy, as you want appropriate quoting applied to your input. > (You don't have to use it's ORM). > > Laurence > ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML is dead, long live DTML ;-)
On 5 September 2010 02:49, Tim Hoffman wrote: >>> >> >> Please note that DTML is a dead (and horrid) technology. >> Martin > > But zpt is horrible for doing non html/xml based things ;-), What do you > think is good alternative in the zope eco system now > for templating other types of things (sql, python ...) ? If you don't need conditions or looping, then string.Template from the standard library is a reasonable choice. For templating SQL I would use SQLAlchemy, as you want appropriate quoting applied to your input. (You don't have to use it's ORM). Laurence ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML is dead, long live DTML ;-)
HI Vincent. I haven't looked an jinja to date. Will definately have a look at it. I generate a lot of code (sql, gae models, storm schema, formish schema's) from Enterprise Architect, and currently using dtml for all non html/xml output. Cheers T On Sun, Sep 5, 2010 at 3:35 PM, Vincent Fretin wrote: > Hi, > > For AGX3, we started to use Jinja for the template, for example for > the generation of setup.py, we have: > > version = '{{version}}' > > setup(name='{{project}}', > version=version, > description="{{description}}", > ... > > The syntax is simpler than dtml we use in AGX2: > > > Vincent > > > On Sun, Sep 5, 2010 at 5:13 AM, Tim Hoffman wrote: > > Hi Florian > > I use a model based generation approach (from enterprise architect) > however > > even archgenxml has templates for large amounts of boiler plate under > the > > hood. > > Have you actually looked at the src of archgenxml, if you did you will > > notices it uses dtml for templating the code output ;-) > ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML is dead, long live DTML ;-)
Hi, For AGX3, we started to use Jinja for the template, for example for the generation of setup.py, we have: version = '{{version}}' setup(name='{{project}}', version=version, description="{{description}}", ... The syntax is simpler than dtml we use in AGX2: Vincent On Sun, Sep 5, 2010 at 5:13 AM, Tim Hoffman wrote: > Hi Florian > I use a model based generation approach (from enterprise architect) however > even archgenxml has templates for large amounts of boiler plate under the > hood. > Have you actually looked at the src of archgenxml, if you did you will > notices it uses dtml for templating the code output ;-) ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML is dead, long live DTML ;-)
Hi Florian I use a model based generation approach (from enterprise architect) however even archgenxml has templates for large amounts of boiler plate under the hood. Have you actually looked at the src of archgenxml, if you did you will notices it uses dtml for templating the code output ;-) T On Sun, Sep 5, 2010 at 9:11 AM, Florian Friesdorf wrote: > On Sun, Sep 05, 2010 at 08:49:39AM +0800, Tim Hoffman wrote: > > > > > > > > >> > > > Please note that DTML is a dead (and horrid) technology. > > > > > > Martin > > > > > > > But zpt is horrible for doing non html/xml based things ;-), What do you > > think is good alternative in the zope eco system now > > for templating other types of things (sql, python ...) ? > > I would use a templating system for things that are easy to template > (html/xml) and where more complex logic can be offloaded to a real > programming language like python (as zpt does). > > Using a templating system for a programming language is I think a > different programming paradigm than zope's component architecture and > contrary to code reusage. With code generators like ArchGenXML or agx > you are able to create models for your software on a more abstract level > than based on templating, so I would not use templating but model-based > code generation instead. > > > florian > > -- > Florian Friesdorf > GPG FPR: EA5C F2B4 FBBB BA65 3DCD E8ED 82A1 6522 4A1F 4367 > Jabber/XMPP: f...@chaoflow.net > IRC: chaoflow on freenode,ircnet,blafasel,OFTC > ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML is dead, long live DTML ;-)
On Sun, Sep 05, 2010 at 08:49:39AM +0800, Tim Hoffman wrote: > > > > > >> > > Please note that DTML is a dead (and horrid) technology. > > > > Martin > > > > But zpt is horrible for doing non html/xml based things ;-), What do you > think is good alternative in the zope eco system now > for templating other types of things (sql, python ...) ? I would use a templating system for things that are easy to template (html/xml) and where more complex logic can be offloaded to a real programming language like python (as zpt does). Using a templating system for a programming language is I think a different programming paradigm than zope's component architecture and contrary to code reusage. With code generators like ArchGenXML or agx you are able to create models for your software on a more abstract level than based on templating, so I would not use templating but model-based code generation instead. florian -- Florian Friesdorf GPG FPR: EA5C F2B4 FBBB BA65 3DCD E8ED 82A1 6522 4A1F 4367 Jabber/XMPP: f...@chaoflow.net IRC: chaoflow on freenode,ircnet,blafasel,OFTC pgpD9QHMx5IZs.pgp Description: PGP signature ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML is dead, long live DTML ;-)
> > >> > Please note that DTML is a dead (and horrid) technology. > > Martin > But zpt is horrible for doing non html/xml based things ;-), What do you think is good alternative in the zope eco system now for templating other types of things (sql, python ...) ? T ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML
On Tue, 2004-03-02 at 18:24, Fábio Bruno wrote: > Dear Sir or Madamme > We are working with zope at school, it was proppoused to us to do an > imobiliary site and we like to know who we can do a for cicle or repeat to > search in our document whow many houses where added. > Your's faithfully, > Fábio & Bruno Hi, please notice that this list if for discussion of the development _of_ the zope application server. not for using it. First, consider using Zope Page Templates instead of DTML. There is a good tutorial in the Zope 2.7 release that you can leverage which tells you about "tal:repeat". There is also a site from brasil that tells about zope: www.tchezope.org where you will get support from a community in your native language. Regards, Christian -- Christian Theune, gocept gmbh & co. kg http://www.gocept.com - [EMAIL PROTECTED] fon: 03496 3099112 fax: 03496 3099118 mobile: 0179 7808366 signature.asc Description: This is a digitally signed message part ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Wed, Aug 14, 2002 at 04:25:09PM -0400, Brian Lloyd wrote: > So here's what we'll do. Zope 2.6 will include the string tainting > changes, enabled by default. The tainting can be turned off by > providing an environment variable. > > The next Zope 2.5.x release will contain the tainting code, but it > will be *disabled* by default. If you are worried about the issues > it addresses, you will be able to enable it explicitly using an > environment variable (without having to upgrade to 2.6). I checked in the changes for 2.5; auto quoating now has to be enabled with an environment variable. Higly recommended! -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
> >>Like I said before, this is probably a good feature. If it was > available as a > >>patch then I would probably use it on a number of my sites, and would > >>recommend it to others. I would be very happy see it (or > something like it) > >>in 2.7. > >> > >>But not 2.6. > >> > > >> Then Jim wrote: >> WRT to this change, now that I'm back from vacation, I want to talk to Brian >> about it. ;) Hear ye, hear ye :^) Zope 2.6 is a second-dot release, meaning that it is expected that there will be new features and that it is possible (though we always try to avoid it) that some things can break in the name of progress. (See http://dev.zope.org/CVS/ZopeReleasePolicy for more details). Zope 2.5.x will be a third-dot release, intended to be bug-fix only (and thus not allowed to break things). So here's what we'll do. Zope 2.6 will include the string tainting changes, enabled by default. The tainting can be turned off by providing an environment variable. The next Zope 2.5.x release will contain the tainting code, but it will be *disabled* by default. If you are worried about the issues it addresses, you will be able to enable it explicitly using an environment variable (without having to upgrade to 2.6). 2.7 and later releases will behave as 2.6. Brian Lloyd[EMAIL PROTECTED] V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checkedin
Jim Fulton wrote: > The plan is to release 2.6 as soon as we can. We're really busy with a > bunch of > customer work and haven't had as much time to work on this as we'd like. Well actually this is more comforting than if you had a lot of time on your hands ;-) regards Max M -- "Sorry I would Really Like To Help More On This Project, But Am To Busy Doing Paid Work On A Tight Deadline" Max M ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
Jeffrey P Shell wrote: > On 8/9/02 8:43 AM, "Toby Dickenson" <[EMAIL PROTECTED]> > wrote: > ... >>Like I said before, this is probably a good feature. If it was available as a >>patch then I would probably use it on a number of my sites, and would >>recommend it to others. I would be very happy see it (or something like it) >>in 2.7. >> >>But not 2.6. >> > > Oh, 2.6 will never happen anyways ;) (seriously folks - what's the plan?). The plan is to release 2.6 as soon as we can. We're really busy with a bunch of customer work and haven't had as much time to work on this as we'd like. It's likely that 2.7 will come out at around the same time as 2.6. See http://dev.zope.org/Wikis/DevSite/Projects/SupportPython22/VisionStatement. WRT to this change, now that I'm back from vacation, I want to talk to Brian about it. ;) Jim -- Jim Fulton mailto:[EMAIL PROTECTED] Python Powered! CTO (888) 344-4332http://www.python.org Zope Corporation http://www.zope.com http://www.zope.org ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Mon, Aug 12, 2002 at 03:51:24PM +0100, Toby Dickenson wrote: > On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote: > > > Whithout the fix, virtually every Zope site in the world is vulnerable > > to URL-based cross-site scripting exploits. For instance, any URL which > > contains invalid form variable marshalling can generate an error page > > which includes the erroneous value, unquoted. E.g.: > > > > http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer > >t('Owned')%3C/script%3E> > > Do you plan to fix this bug? > > Or, with the autoquoting changes, is this to be reclassified as 'not a bug'? Together with the autoquoting changes, I tightened Exception messages; data from REQUEST is quoted where I could reasonably suspect REQUEST data was used. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in
> > > I'd like to second this. It was one of the contibuting factors in the > > > decision of my former employers to opt for spectra instead of a Zope > > > solution (That already existed!!). > > I, in contrary, appreciate the openess and fast response with > > respect to security problems. > > > > I do not install most hotfixes because the vulnerabilities do not > > affect our sites but it is a good feeling that there are fast > > fixes when this would be once the case. > > In some way we need to make it clear that most hotfixes don't matter for > most sites. A lot of hotfixes ensured that users who could write DTML > couldn't get extra privileges. They really only mattered for sites like > zope.org, where anyone with an email address is allowed to write code > that will be executed directly on the server. But: > You are exactly right... but... The problem is not one of clarity of labling, it's one of targetting: The people that actually make this level of decision (i.e. board level execs) are not "techies", and are just not interested in _why_ the fix is needed, or in _what_ technical problem it fixes, but that ZC (visibly) releases 'n' fixes per month for Zope, while M$ (visibly) releases less than that number per year for IIS/ASP - Therefore, Zope must be the less stable/reliable product etc? The logic is flawed, we all know that, but who is volunteering to visit every companies senior execs worldwide and spend the time to make them care enough? The hotfixes, and new releases need to be "marketted" (I use that word loosely) quite differently, new releases are "A Good Thing(tm)", while the fixes need to be "under the hood" where the execs won't be bothered by them, but the techies can find them when they need them. I appologise, in advance, for the sweeping generalization that all execs are like Dilbert's pointy-haired boss, but some really are! Adrian... -- Adrian Hungate EMail: [EMAIL PROTECTED] Web: http://www.haqa.co.uk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote: > Whithout the fix, virtually every Zope site in the world is vulnerable > to URL-based cross-site scripting exploits. For instance, any URL which > contains invalid form variable marshalling can generate an error page > which includes the erroneous value, unquoted. E.g.: > > http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer >t('Owned')%3C/script%3E> Do you plan to fix this bug? Or, with the autoquoting changes, is this to be reclassified as 'not a bug'? ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesaboutto be checked in
Dieter Maurer wrote: > Adrian Hungate writes: > > > > > We should avoid sending the wrong > > > message by making a hotfix for every little thing. > > > > > > Shane > > > I'd like to second this. It was one of the contibuting factors in the > > decision of my former employers to opt for spectra instead of a Zope > > solution (That already existed!!). > I, in contrary, appreciate the openess and fast response with > respect to security problems. > > I do not install most hotfixes because the vulnerabilities do not > affect our sites but it is a good feeling that there are fast > fixes when this would be once the case. In some way we need to make it clear that most hotfixes don't matter for most sites. A lot of hotfixes ensured that users who could write DTML couldn't get extra privileges. They really only mattered for sites like zope.org, where anyone with an email address is allowed to write code that will be executed directly on the server. But: 1) most Zope sites give a high level of trust to DTML authors anyway. There was no way to exploit most of the security holes without the ability to write DTML that runs on the server. 2) even a Zope administrator is still quite limited. In a standard setup, a Zope admin can't read/write arbitrary files or execute scripts. 3) Zope doesn't run as root. Even if someone found a way to get console access through a Zope admin account, they would have to exploit some other security hole to get root access. We need to make it clear that there are several layers of security, and only a single layer has ever had a problem AFAIK. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in
Adrian Hungate writes: > > > We should avoid sending the wrong > > message by making a hotfix for every little thing. > > > > Shane > I'd like to second this. It was one of the contibuting factors in the > decision of my former employers to opt for spectra instead of a Zope > solution (That already existed!!). I, in contrary, appreciate the openess and fast response with respect to security problems. I do not install most hotfixes because the vulnerabilities do not affect our sites but it is a good feeling that there are fast fixes when this would be once the case. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in
> [Snip] > > I just want to keep the security worries in check. Let me ramble for a > bit... We've released a lot of hotfixes, but *none* of the > vulnerabilities could give an attacker root access, and none of them > could give console access to anonymous users AFAIK. All of the > vulnerabilities violated Zope's security policy, but Zope's security > policy is constrained by system security and other safeguards. People > outside the Zope community don't know that, so a lot have labeled Zope > as too insecure to use. The reality is that we've never even had an > exploitable buffer overrun. :-) We should avoid sending the wrong > message by making a hotfix for every little thing. > > Shane > I'd like to second this. It was one of the contibuting factors in the decision of my former employers to opt for spectra instead of a Zope solution (That already existed!!). I am sure there are other cases of this too... If someone finds a buffer overrun, fix it by all means, but other issues may be better left for minor version releases, where they can be buried in the changelog. Just my £0.02 Adrian... -- Adrian Hungate EMail: [EMAIL PROTECTED] Web: http://www.haqa.co.uk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checkedin
On 8/9/02 8:43 AM, "Toby Dickenson" <[EMAIL PROTECTED]> wrote: > I agree it is true in most cases, but not all. Have you analysed how many > applications will be broken by this? how they can detect the breakage? I > certainly will not have time to assess the implications on my applications > before the scheduled release of 2.6. This is why I raised the flag of "can there be a way to disable it?", and Martijn put a fix in: - and &dtml.-name; will now automatically HTML-quote unsafe data taken implictly from the REQUEST object. Data taken explicitly from the REQUEST object is not affected, as well as any other data not originating from REQUEST. This can be disabled (at your own risk!) by setting the environment variable ZOPE_DTML_REQUEST_AUTOQUOTE to one of 'no', '0', or 'disabled'. I have the same concerns you do, but I figure that if any problems are found during normal execution of any Zope release this is attached to that I don't have time to investigate a fix for myself, I can add this environment variable (which normally I am not fond of doing), restart, and make a note "investigate fixing site blablabla". Is there any reason why this solution wouldn't work for you? > Like I said before, this is probably a good feature. If it was available as a > patch then I would probably use it on a number of my sites, and would > recommend it to others. I would be very happy see it (or something like it) > in 2.7. > > But not 2.6. Oh, 2.6 will never happen anyways ;) (seriously folks - what's the plan?). Since there's no current release plan for 2.6, it's hard to plan future deployments around it anyways. But if you have any sites you plan to move to 2.6, you should test this Autoquote change aggressively during the alpha/beta cycle. Since the ZOPE_DTML_REQUEST_AUTOQUOTE change has been put in, I've reserved future judgments until I get a chance to actually do some testing. I know that if I do run into any issues in the future that I don't have time to deal with, I can just flip that switch off. -- Jeffrey P Shell www.cuemedia.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesaboutto be checked in
Tres Seaver wrote: > Whithout the fix, virtually every Zope site in the world is vulnerable > to URL-based cross-site scripting exploits. For instance, any URL which > contains invalid form variable marshalling can generate an error page > which includes the erroneous value, unquoted. E.g.: > > >http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealert('Owned')%3C/script%3E> I think an URL with an inconspicuous mispelling of the domain name is a far greater vulnerability than cross-site-scripting. Consider: http://barnesandnohle.com/freebooks.html An attacker could set up that misleading domain name then spam people to order free books, requiring credit card info for some "book-of-the-month" trick. Some simple scraping of the true site would keep most people from ever thinking there was a problem. In fact, you don't even have to misspell it: http://barnes-andnoble.com/freebooks.html This affects the entire web and every piece of software involved in it. I just want to keep the security worries in check. Let me ramble for a bit... We've released a lot of hotfixes, but *none* of the vulnerabilities could give an attacker root access, and none of them could give console access to anonymous users AFAIK. All of the vulnerabilities violated Zope's security policy, but Zope's security policy is constrained by system security and other safeguards. People outside the Zope community don't know that, so a lot have labeled Zope as too insecure to use. The reality is that we've never even had an exploitable buffer overrun. :-) We should avoid sending the wrong message by making a hotfix for every little thing. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes aboutto be checked in
Tres Seaver wrote: > Martijn did add a knob to turn the feature off, via a new environment > variable. With a security vulnerability, we have to come up with some > kind of balance between the need to propagate the fix as quickly as > possible and the need (as you point out) not to disrupt production sites > unduly. I don't believe we can afford to wait a whole other release > cycle for this fix; Brian, Jim, and Martijn deemed the fix too > pervasive to be bundled as a hotfix, which offers us little choice > except to included it in current releases. > > Whithout the fix, virtually every Zope site in the world is vulnerable > to URL-based cross-site scripting exploits. For instance, any URL which > contains invalid form variable marshalling can generate an error page > which includes the erroneous value, unquoted. E.g.: > > >http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealert('Owned')%3C/script%3E> Yeah, but why not fixing that instead? I for one concur that it is a good thing to care for such stuff, but the way it is fixed might really lead to a lot of confusion, because it again introduces some magic which happens behind the users back. As far as I understand the fix, I can imagine some use cases which might break without having been in danger at all. Someone please correct me if I'm wrong. 1. Sending mails with dtml-sendmail If you send plaintext mails, suddendly you get html_quoted stuff which you never wanted. Having to debug this without knowing about the new "feature" will get people up in arms. 2. 3. Any object which uses dtml to render content from the REQUEST not meant for being displayed in a browser. Some people might use zope for things which have nothing to do with html, so they didn't care about cross-site scripting in the first place. cheers, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in
On Fri, 2002-08-09 at 10:43, Toby Dickenson wrote: > On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote: > > On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote: > > > > The risk for breakage is very small really > > > > > > Your choice of '<' and html_quote suggests that my dtml code which > > > generates javascript and vbscript carries a higher risk than dtml which > > > generates html. > > > > Only if you generated that script using data from the REQUEST, implicitly. > > Yes > > > Which was bad in the first place. > > I agree it is true in most cases, but not all. Have you analysed how many > applications will be broken by this? how they can detect the breakage? I > certainly will not have time to assess the implications on my applications > before the scheduled release of 2.6. > > > > >, and breakage > > > > will generally only occur when someone is trying to exploit the > > > > weakness, not in normal operation of the site. > > > > > > The fact that your change uses html_quote to 'fix' the problem rather > > > than sounding 'hacker alert' alarm bells suggests to me that you dont > > > really believe that ;-) > > > > Again, the wide scope of DTML use would make such bells warble prematurely > > all too often. > > 'all too often' also contradicts your statements that this will not happen in > normal operation of the site, and that the risk of breakage is 'very small'. > > > Like I said before, this is probably a good feature. If it was available as a > patch then I would probably use it on a number of my sites, and would > recommend it to others. I would be very happy see it (or something like it) > in 2.7. > > But not 2.6. Martijn did add a knob to turn the feature off, via a new environment variable. With a security vulnerability, we have to come up with some kind of balance between the need to propagate the fix as quickly as possible and the need (as you point out) not to disrupt production sites unduly. I don't believe we can afford to wait a whole other release cycle for this fix; Brian, Jim, and Martijn deemed the fix too pervasive to be bundled as a hotfix, which offers us little choice except to included it in current releases. Whithout the fix, virtually every Zope site in the world is vulnerable to URL-based cross-site scripting exploits. For instance, any URL which contains invalid form variable marshalling can generate an error page which includes the erroneous value, unquoted. E.g.: http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealert('Owned')%3C/script%3E> Tres. -- === Tres Seaver[EMAIL PROTECTED] Zope Corporation "Zope Dealers" http://www.zope.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote: > On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote: > > > The risk for breakage is very small really > > > > Your choice of '<' and html_quote suggests that my dtml code which > > generates javascript and vbscript carries a higher risk than dtml which > > generates html. > > Only if you generated that script using data from the REQUEST, implicitly. Yes > Which was bad in the first place. I agree it is true in most cases, but not all. Have you analysed how many applications will be broken by this? how they can detect the breakage? I certainly will not have time to assess the implications on my applications before the scheduled release of 2.6. > > >, and breakage > > > will generally only occur when someone is trying to exploit the > > > weakness, not in normal operation of the site. > > > > The fact that your change uses html_quote to 'fix' the problem rather > > than sounding 'hacker alert' alarm bells suggests to me that you dont > > really believe that ;-) > > Again, the wide scope of DTML use would make such bells warble prematurely > all too often. 'all too often' also contradicts your statements that this will not happen in normal operation of the site, and that the risk of breakage is 'very small'. Like I said before, this is probably a good feature. If it was available as a patch then I would probably use it on a number of my sites, and would recommend it to others. I would be very happy see it (or something like it) in 2.7. But not 2.6. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote: > > The risk for breakage is very small really > > Your choice of '<' and html_quote suggests that my dtml code which generates > javascript and vbscript carries a higher risk than dtml which generates html. Only if you generated that script using data from the REQUEST, implicitly. Which was bad in the first place. > >, and breakage > > will generally only occur when someone is trying to exploit the weakness, > > not in normal operation of the site. > > The fact that your change uses html_quote to 'fix' the problem rather than > sounding 'hacker alert' alarm bells suggests to me that you dont really > believe that ;-) Again, the wide scope of DTML use would make such bells warble prematurely all too often. The normal, recommended fix for the general weakness is to always use HTML quote. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Thursday 08 Aug 2002 9:29 pm, Martijn Pieters wrote: > On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote: > > > I am about to land some big changes in the way DTML deals with data > > > taken from the REQUEST object when accessed implicitly, in both the > > > Zope Trunk and the Zope 2.5 branch. > > > > In my opinion this change is completely unacceptable at this late stage > > of > > > > the release cycle. As you said: > > > These changes could potentially break existing Zope sites. > > > > The existing behavior might be flawed, but it is a flaw we have all lived > > with for a long time. In my opinion this needs: > > > > 1. To be deferred until the 2.7 cycle. > > > > 2. A detailed fishbowl proposal. > > Note that the problems fixed are potential security problems. Although we > cannot fix every site out there for sure, the fixes certainly dramatically > reduce the risks. Im not going to argue that this feature is bad - because I dont believe that to be true. I suspect the feature is not exactly quite right - but those issues can easily be resolved over a full release cycle. > The risk for breakage is very small really Your choice of '<' and html_quote suggests that my dtml code which generates javascript and vbscript carries a higher risk than dtml which generates html. >, and breakage > will generally only occur when someone is trying to exploit the weakness, > not in normal operation of the site. The fact that your change uses html_quote to 'fix' the problem rather than sounding 'hacker alert' alarm bells suggests to me that you dont really believe that ;-) > I'll leave any decisions on wether or not this stays in the current release > cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation > until next week. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote: > > I am about to land some big changes in the way DTML deals with data > > taken from the REQUEST object when accessed implicitly, in both the Zope > > Trunk and the Zope 2.5 branch. > > In my opinion this change is completely unacceptable at this late stage of > the release cycle. As you said: > > > These changes could potentially break existing Zope sites. > > The existing behavior might be flawed, but it is a flaw we have all lived > with for a long time. In my opinion this needs: > > 1. To be deferred until the 2.7 cycle. > > 2. A detailed fishbowl proposal. Note that the problems fixed are potential security problems. Although we cannot fix every site out there for sure, the fixes certainly dramatically reduce the risks. The risk for breakage is very small really, and breakage will generally only occur when someone is trying to exploit the weakness, not in normal operation of the site. I'll leave any decisions on wether or not this stays in the current release cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation until next week. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
The way I see it is this: ZPT has (amongst others) the very nice property that it's trivial to audit ZPT pages for non-quoted string output: just grep for 'structure'. OTOH in DTML there's no way to do that, the default is unquoted output. &dtml-stuff; is a good step, but there's way too much code out there that doesn't take proper security precautions and is vulnerable to cross-site scripting attacks. The fact that namespaces are implicit and make it possible to get stuff from where we don't expect them doesn't help. We should always keep in mind the security debacle that PHP has become, because it didn't take proper precautions for quoting (reports on Bugtraq of XSS attacks in some PHP application practically every week). There's magic_quotes_gpc or magic_quotes_runtime that automatically quotes their equivalent of REQUEST or even any output from outside applications, but it's a PITA because it does too much and is often inconvenient, so a lot of users turn it off or forget to turn it on. And it's too much magic. The solution Martijn implemented has a number of nice properties, for instance protecting those that do , and will only leave open the applications that really didn't take the most basic security precautions (unfortunately I'm sure there are some out there, doing stuff like ">). So in a code audit all should be suspect, and &dtml-.xxx; too. Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:[EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Fri, Aug 02, 2002 at 08:55:13AM -0700, Andy McKay wrote: > Likewise Im trying to digest all that and Im a little suprised. More magic > in DTML? Not something I'd vote for normally. > > Im a little confused why this is suddenly an issue, yeah so we pull a string > out of the REQUEST and thanks to DTML stack we may not know where it came > from. Well thats always been there. And yeah the string may contain nasty > HTML. Again that's always been there. > In the past (and I cant find posts to show it) the party line was Zope is an > application server and its up to the person developing the application to > worry about it. Thats why ChrisW wrote stripogram and I use it in quite a > few apps. Yup. And that is still the case. However, the combination of implict REQUEST form interpolation and no HTML quoting turns out to especially dangerous, because of those situations where you *want* no HTML quoting for optional information that normally should *not* come from the REQUEST. An example is the Zope help system; there are API help pages that have optional information, which when present is already HTML. But when not present in the object hierarchy, but it *is* available in the REQUEST, the REQUEST data is used instead. The way standard_error_message deals with exceptions is another such a situation. The DTML author didn't expect the particular template slot to be filled with REQUEST data, the slot is optional, and the author has no way of preventing REQUEST data from being used. The solution we choose fixes that problem, for all existing DTML as well as future DTML. Note that ZPT does not have this problem, as it quotes by default and doesn't use implict namespaces. > One other question? Why does it matter that the string is implicitly called, > why dont you taint explicitly called to? It makes me think of Perl where > taint mode taints anything coming from the user? Because, as explained above, its the implicit case that is dangerous. In the explicit case you are supposed to know you are working with unsafe data and thus the old rules apply. If we explicitly quoted, we hurt everyone that either did the right thing from the start and/or already knows they are playing with fire. > This still doesnt solve the party line and means I would like to suggest > again (and this time I have the time to work on it) that we add something > like stripogram or similar to the core, so that is easy for an application > developer to have access to strip html and other functions from products, > DTML, Python Scripts etc to easily alter, manage and make HTML safer. The CMF now includes a basic HTML stripper. In future iterations, Tres Seaver expects this to evolve into a CMF Tool that is more generaly configurable and useable. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
Likewise Im trying to digest all that and Im a little suprised. More magic in DTML? Not something I'd vote for normally. Im a little confused why this is suddenly an issue, yeah so we pull a string out of the REQUEST and thanks to DTML stack we may not know where it came from. Well thats always been there. And yeah the string may contain nasty HTML. Again that's always been there. In the past (and I cant find posts to show it) the party line was Zope is an application server and its up to the person developing the application to worry about it. Thats why ChrisW wrote stripogram and I use it in quite a few apps. One other question? Why does it matter that the string is implicitly called, why dont you taint explicitly called to? It makes me think of Perl where taint mode taints anything coming from the user? This still doesnt solve the party line and means I would like to suggest again (and this time I have the time to work on it) that we add something like stripogram or similar to the core, so that is easy for an application developer to have access to strip html and other functions from products, DTML, Python Scripts etc to easily alter, manage and make HTML safer. -- Andy McKay @gmweb Consulting http://www.agmweb.ca ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML sqltest tag and python expr. Bug in Zope Book?
On Sat, 30 Jun 2001 11:41:57 +0200 (CEST) Dieter Maurer <[EMAIL PROTECTED]> wrote: > If I were a purist, I would answer: no. > > The name error could come from a nested call that incidentally > uses the same name for a variable as a request argument. Granted. But I have just been thinking: the dtml-var tag does support python expressions. And its "missing" attribute is quite similar to the "optional" of dtml-sqltest, don't you think? The "missing" attribute works only when a variable name is provided. It has no effect on python expression: if noVar is not defined: returns nothing, raises a NameError. So for consistency, we can do the same with the dtml-sqltest tag: it would accept python expression, and the "optional" would work only with variable names, not python expressions. > If I were a Zope maintainer, I would answer: no. > > The feature is rarely used and if it is, there is > a way to do it with existing DTML means: Well, of course it is not being used much, since it is not implemented... ;o) Anyway, I guess it all depends on what you use Zope for. As far as I am concerned, many of the Zope projects I have been involved in included heavy database queries. So I used that "feature" (with the workarounds we described) quite a lot. > But your point was: The feature is used in the Zope book, > thus, apparently, it was useful. The question: > "why not implement the feature rather than change the book". Exactly. I think that this feature should be implemented for: o consistency with other tags, o consistency with the Zope Book (DTML *REFERENCE*!) o and its usefulness to people like me ;) > Maybe, DC says something about this Cheers! -- Yves-Eric Martin [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML sqltest tag and python expr. Bug in Zope Book?
Yves-Eric Martin writes: > > I expect that "dtml-sqltest" does not support the "expr" > > attribute due to its "optional". > > > > It is not easy to define the semantics of "optional" for > > arbitrary expressions. > > To overcome that problem, I think it would make sense to treat the > "optional" like this: when the expression raises a NameError, if the > variable name that caused the error is an expected argument of the > ZSQLMethod, then this argument was not provided, so do not render the > sqltest tag. Otherwise, we have a real error. In a pythonish algorithm, > that would look like this: > > > try: > renderedExpr = eval(expr) > except NameError, varName: > if varName in ZSQLMethodArguments: > # "optional" behavior for missing variable > pass > else: > # We have a real error > raise NameError, varName > else: > # render sqltest tag > ... > > > Do you think that makes sense? If I were a purist, I would answer: no. The name error could come from a nested call that incidentally uses the same name for a variable as a request argument. If I were a Zope maintainer, I would answer: no. The feature is rarely used and if it is, there is a way to do it with existing DTML means: As you demonstrated: does work, although it is not really nice -- but not too bad, either. If I would need this feature extensively, I would privately enhance Zope as necessary. I learned yesterday, how to use "cvs import/checkout/update" to keep such private enhancements across Zope upgrades. But your point was: The feature is used in the Zope book, thus, apparently, it was useful. The question: "why not implement the feature rather than change the book". Maybe, DC says something about this Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML sqltest tag and python expr. Bug in Zope Book?
On Thu, 28 Jun 2001 22:42:13 +0200 (CEST) Dieter Maurer <[EMAIL PROTECTED]> wrote: > I expect that "dtml-sqltest" does not support the "expr" > attribute due to its "optional". > > It is not easy to define the semantics of "optional" for > arbitrary expressions. True, but you already found a possible answer: > Your example seems to suggests, that you would like > the tag to be omitted, when the expression > raise a NameError. > But, in fact, it is not clear whether this is anticipated > by "optional" or a serious problem (maybe deep in the > expression) that should be reported. To overcome that problem, I think it would make sense to treat the "optional" like this: when the expression raises a NameError, if the variable name that caused the error is an expected argument of the ZSQLMethod, then this argument was not provided, so do not render the sqltest tag. Otherwise, we have a real error. In a pythonish algorithm, that would look like this: try: renderedExpr = eval(expr) except NameError, varName: if varName in ZSQLMethodArguments: # "optional" behavior for missing variable pass else: # We have a real error raise NameError, varName else: # render sqltest tag ... Do you think that makes sense? -- Yves-Eric Martin [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML sqltest tag and python expr. Bug in Zope Book?
Yves-Eric Martin writes: > But unfortunately, does not seem to work. > We get the following error: > > " The "..." shorthand for expr was used in a tag that doesn't > support expr attributes., for tag http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] dtml-in batching improved
Ivo, somehow I had missed the very start of the thread. I think that my change pretty much implements the third alternative you describe in your post, but for which you provided no patch (the one which defines the variables at the top and bottom only, because I leave the "if index==first or index==last" test). You are right that my change could break existing code, but I think not as badly as defining the variables for every iteration. In any case, I will keep the change in my version until I notice a side effect that I don't like. Cheers, Jean > -Original Message- > From: Ivo van der Wijk > Sent: Monday, June 18, 2001 7:31 AM > > This is basically my patch #1. It makes previous-sequence-* and > next-sequence-* available throughout the entire dtml-in loop. > > This sounds like a good fix, but people may rely on these variables > being only set at resp. the start and end of the iteration. > > So this patch may break existing dtml code. > > That's why I suggested patch #2, which introduces new variables. Old > code will continue to work, but people who want the problem fixed can > use the newly introduced variables, which are available throughout the > iteration. > > Ivo ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching improved
On Wed, Jun 13, 2001 at 04:28:12PM -0700, Jean Lagarde wrote: > Good day all, > > > Here is the original code, with my annotated change (I deleted an if test in > two places): > > for index in range(first,end): > # preset > kw['previous-sequence']= 0 > kw['next-sequence']= 0 # now more often defined then > previously > # > if index==first or index==last: > # provide batching information > if first > 0: > pstart,pend,psize=opt(0,first+overlap, > sz,orphan,sequence) > deleted this test --> if index==first: kw['previous-sequence']=1 > kw['previous-sequence-start-index']=pstart-1 > kw['previous-sequence-end-index']=pend-1 > kw['previous-sequence-size']=pend+1-pstart (more similar code removed) This is basically my patch #1. It makes previous-sequence-* and next-sequence-* available throughout the entire dtml-in loop. This sounds like a good fix, but people may rely on these variables being only set at resp. the start and end of the iteration. So this patch may break existing dtml code. That's why I suggested patch #2, which introduces new variables. Old code will continue to work, but people who want the problem fixed can use the newly introduced variables, which are available throughout the iteration. Ivo -- Drs. I.R. van der Wijk -=- Brouwersgracht 132 Amaze Internet Services V.O.F. 1013 HA Amsterdam -=- Tel: +31-20-4688336 Linux/Web/Zope/SQL Fax: +31-20-4688337 Network Solutions Web: http://www.amaze.nl/Consultancy Email: [EMAIL PROTECTED] -=- ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching improved
Good day all, I wouldn't consider myself as a Zope developper, but since that's where the thread was... I've read the thread with interest but so far all I've read in it are workarounds that I do not find particularly nice. I did find a bug w/patch in the collector (#1317), which I thought was meant to correct the problem, but the patch has been applied to my version (2.3.2), and dtml-in evidently still did not behave as expected. So I've looked at it more closely and found what I think is a fix, but given my inexperience, I would like to know if others think that I'm doing something wrong. I've tested the change for a while on my application, and everything seems to work so far. Here is the original code, with my annotated change (I deleted an if test in two places): for index in range(first,end): # preset kw['previous-sequence']= 0 kw['next-sequence']= 0 # now more often defined then previously # if index==first or index==last: # provide batching information if first > 0: pstart,pend,psize=opt(0,first+overlap, sz,orphan,sequence) deleted this test --> if index==first: kw['previous-sequence']=1 kw['previous-sequence-start-index']=pstart-1 kw['previous-sequence-end-index']=pend-1 kw['previous-sequence-size']=pend+1-pstart try: # The following line is a sneaky way to # test whether there are more items, # without actually computing a length: sequence[end] pstart,pend,psize=opt(end+1-overlap,0, sz,orphan,sequence) deleted this test --> if index==last: kw['next-sequence']=1 kw['next-sequence-start-index']=pstart-1 kw['next-sequence-end-index']=pend-1 kw['next-sequence-size']=pend+1-pstart except: pass if index==last: kw['sequence-end']=1 Cheers, Jean ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] dtml-in batching improved
Title: RE: [Zope-dev] dtml-in batching improved Back before the zope.org product directory became so easy to navigate I wrote an index that I used to use which has batch links top and bottom: http://www.zope.org/Members/haqa/productlist/view_source Dunno if this helps... Adrian... -Original Message- From: Chris Withers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 30 May 2001 22:03 To: Ivo van der Wijk; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Simon Coles Subject: Re: [Zope-dev] dtml-in batching improved > When using batching in dtml-in, why is 'previous-sequence' only defined at > the first iteration of the current batch? And why is 'next-sequence' only > defined at the last iteration of the current batch? I know this problem ;-) I had it too, and stuck something in the collector about it. I did manage to get the layout you're after without modifying Zope though (see the search page on www.nipltd.com) If you want the code, maybe someone at NIP could fish it out, if you can wait until next Thursday, I'll grab it myself :-) cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching improved
> > > Nope, my solution used only one dtml-in and maybe a dtml-let, no REQUEST > > > munging :-) > > > > > Ok, show me :) > > Hurm... gimme a shout next Thursday when I have access to the code again ;-) Actually, scratch that, check out the folder_contents.dtml file in CMFDefault/skins of the CMF. It does some cunning REQUEST variable setting that eliminates the need for the fanciness I used... cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching improved
> > Nope, my solution used only one dtml-in and maybe a dtml-let, no REQUEST > > munging :-) > > > Ok, show me :) Hurm... gimme a shout next Thursday when I have access to the code again ;-) cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching improved
On Thu, May 31, 2001 at 05:36:21PM +0100, Chris Withers wrote: > > I've done it myself as well using (as described in the posting) two > > dtml-in's (the second one purely for displaying the prev/next links). > > > > Is your solution any different? (The only one I can think of is storing > > the info in your REQUEST object and using it later, but that's really > > ugly.) > > Nope, my solution used only one dtml-in and maybe a dtml-let, no REQUEST > munging :-) > Ok, show me :) Ivo -- Drs. I.R. van der Wijk -=- Brouwersgracht 132 Amaze Internet Services V.O.F. 1013 HA Amsterdam -=- Tel: +31-20-4688336 Linux/Web/Zope/SQL Fax: +31-20-4688337 Network Solutions Web: http://www.amaze.nl/Consultancy Email: [EMAIL PROTECTED] -=- ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching improved
> I've done it myself as well using (as described in the posting) two > dtml-in's (the second one purely for displaying the prev/next links). > > Is your solution any different? (The only one I can think of is storing > the info in your REQUEST object and using it later, but that's really > ugly.) Nope, my solution used only one dtml-in and maybe a dtml-let, no REQUEST munging :-) cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching improved
Ivo van der Wijk wrote: > > On Wed, May 30, 2001 at 10:02:31PM +0100, Chris Withers wrote: > > > When using batching in dtml-in, why is 'previous-sequence' only defined at > > > the first iteration of the current batch? And why is 'next-sequence' only > > > defined at the last iteration of the current batch? > > > > I know this problem ;-) > > > > I had it too, and stuck something in the collector about it. I did manage to > > get the layout you're after without modifying Zope though (see the search > > page on www.nipltd.com) > > > > I've done it myself as well using (as described in the posting) two > dtml-in's (the second one purely for displaying the prev/next links). > > Is your solution any different? (The only one I can think of is storing > the info in your REQUEST object and using it later, but that's really > ugly.) > AFAIK that is what the next and previous options for dtml-in are for. Usually I just store the sequence (if it is a query) in a variable using a let around three (or more) dtml-ins. Two of which use the next or previous option to create the batching links. -- | Casey Duncan | Kaivo, Inc. | [EMAIL PROTECTED] `--> ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching improved
On Wed, May 30, 2001 at 10:02:31PM +0100, Chris Withers wrote: > > When using batching in dtml-in, why is 'previous-sequence' only defined at > > the first iteration of the current batch? And why is 'next-sequence' only > > defined at the last iteration of the current batch? > > I know this problem ;-) > > I had it too, and stuck something in the collector about it. I did manage to > get the layout you're after without modifying Zope though (see the search > page on www.nipltd.com) > I've done it myself as well using (as described in the posting) two dtml-in's (the second one purely for displaying the prev/next links). Is your solution any different? (The only one I can think of is storing the info in your REQUEST object and using it later, but that's really ugly.) Ivo -- Drs. I.R. van der Wijk -=- Brouwersgracht 132 Amaze Internet Services V.O.F. 1013 HA Amsterdam -=- Tel: +31-20-4688336 Linux/Web/Zope/SQL Fax: +31-20-4688337 Network Solutions Web: http://www.amaze.nl/Consultancy Email: [EMAIL PROTECTED] -=- ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching improved
> When using batching in dtml-in, why is 'previous-sequence' only defined at > the first iteration of the current batch? And why is 'next-sequence' only > defined at the last iteration of the current batch? I know this problem ;-) I had it too, and stuck something in the collector about it. I did manage to get the layout you're after without modifying Zope though (see the search page on www.nipltd.com) If you want the code, maybe someone at NIP could fish it out, if you can wait until next Thursday, I'll grab it myself :-) cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in bug?
Hi! ok, some more people told me now about it.. ;-) It's not that intuitive nevertheless.. (IMHO) ;-) cheers and thx, Christian On Mon, May 28, 2001 at 05:20:39PM +0200, Tino Wildenhain wrote: > Hi Christian, > > --On Montag, 28. Mai 2001 15:38 +0200 Christian Scholz <[EMAIL PROTECTED]> > wrote: > > > Hi! > > > > Dunno if it's again my "strange" setup, but I have some problem with > > dtml-in or maybe I simply didn't get something right.. > > > > Well, I used the following dtml code: > > > > > > > > a > > > > > > > *rustle* try orphan=0 :-) > > Greetings > Tino > > > > and I thought I will get three a's as output.. instead I get 6.. > > If I do size=3 it's ok (3 output), if I do size=4 or 5 or 6 I get > > them all.. > > (actually it happened with some more complex list of Result objects but > > this seems to do the same here) > > > > Can someone explain that to me..? > > > > (it's Zope 2.3.2, Python 1.5.2, SuSE Linux 7.0) > > > > cheers, > > Christian > > > > -- > > COM.lounge http://comlounge.net/ > > communication & design [EMAIL PROTECTED] > > > > ___ > > Zope-Dev maillist - [EMAIL PROTECTED] > > http://lists.zope.org/mailman/listinfo/zope-dev > > ** No cross posts or HTML encoding! ** > > (Related lists - > > http://lists.zope.org/mailman/listinfo/zope-announce > > http://lists.zope.org/mailman/listinfo/zope ) > > > > -- COM.lounge http://comlounge.net/ communication & design [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in bug?
Hi Christian, --On Montag, 28. Mai 2001 15:38 +0200 Christian Scholz <[EMAIL PROTECTED]> wrote: > Hi! > > Dunno if it's again my "strange" setup, but I have some problem with > dtml-in or maybe I simply didn't get something right.. > > Well, I used the following dtml code: > > > > a > > *rustle* try orphan=0 :-) Greetings Tino > > and I thought I will get three a's as output.. instead I get 6.. > If I do size=3 it's ok (3 output), if I do size=4 or 5 or 6 I get > them all.. > (actually it happened with some more complex list of Result objects but > this seems to do the same here) > > Can someone explain that to me..? > > (it's Zope 2.3.2, Python 1.5.2, SuSE Linux 7.0) > > cheers, > Christian > > -- > COM.lounge http://comlounge.net/ > communication & design [EMAIL PROTECTED] > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in performance
> > What can I do to maximize the peformance of a dtml-in statement? > > When iterating over a 2000 row database query, it takes about 20 > > seconds - time mostly spent doing security checks, and calling > > __getitem__ in DT_InSV.py. Is the performance of dtml-in just slow? > > -Brett > > > > Another performance consideration with looping in DTML is that whatever > is in your DTML block is reinterpreted each time through. Although it is > parsed (hopefully) only the first time through, this overhead is still > considerable when multiplied over 2000 rows. You are essentially using > an interpreter (Python) as an interpreter for DTML. I would seriously > consider moving this entire operation (query, iteration and html > generation) to native Python if performance is a big consideration. We have had similar performance problems with the first version of our Content Management demo. It used both dtml-in loops and ZClasses (with other ZCLasses as base classes) heavily. The combination of the both can be very efficient in slowing down Zope. I remember the first versions of Martijn Faassen's XML-Widgets that had a similar performance problem. The reason is that in addition to the dtml-in overhead ZClasses take a lot of time for acquiring from their containers and inheriting from their "base classes" as all the inheritance stuff is only simulated - in fact almost everything is just stored in property sheets and has to be processed by the security engine if I got it right. In Python these problems go away. Maybe it is time for a good reimplementation of ZClasses, inlcuding the creation of REAL Python classes in the filesystem on the fly. BTW: Does anybody know if the Zope Page Templates (ZPT) parser is faster with looping than the DTML one? Cheers, Joachim. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in performance
> > What can I do to maximize the peformance of a dtml-in statement? > > When iterating over a 2000 row database query, it takes about 20 > > seconds - time mostly spent doing security checks, and calling > > __getitem__ in DT_InSV.py. Is the performance of dtml-in just slow? > > -Brett > > > > Another performance consideration with looping in DTML is that whatever > is in your DTML block is reinterpreted each time through. Although it is > parsed (hopefully) only the first time through, this overhead is still > considerable when multiplied over 2000 rows. You are essentially using > an interpreter (Python) as an interpreter for DTML. I would seriously > consider moving this entire operation (query, iteration and html > generation) to native Python if performance is a big consideration. We have had similar performance problems with the first version of our Content Management demo. It used both dtml-in loops and ZClasses (with other ZCLasses as base classes) heavily. The combination of the both can be very efficient in slowing down Zope. I remember the first versions of Martijn Faassen's XML-Widgets that had a similar performance problem. The reason is that in addition to the dtml-in overhead ZClasses take a lot of time for acquiring from their containers and inheriting from their "base classes" as all the inheritance stuff is only simulated - in fact almost everything is just stored in property sheets and has to be processed by the security engine if I got it right. In Python these problems go away. Maybe it is time for a good reimplementation of ZClasses, inlcuding the creation of REAL Python classes in the filesystem on the fly. BTW: Does anybody know if the Zope Page Templates (ZPT) parser is faster with looping than the DTML one? Cheers, Joachim. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in performance
Brett Carter wrote: > > What can I do to maximize the peformance of a dtml-in statement? > When iterating over a 2000 row database query, it takes about 20 > seconds - time mostly spent doing security checks, and calling > __getitem__ in DT_InSV.py. Is the performance of dtml-in just slow? > -Brett > Another performance consideration with looping in DTML is that whatever is in your DTML block is reinterpreted each time through. Although it is parsed (hopefully) only the first time through, this overhead is still considerable when multiplied over 2000 rows. You are essentially using an interpreter (Python) as an interpreter for DTML. I would seriously consider moving this entire operation (query, iteration and html generation) to native Python if performance is a big consideration. -- | Casey Duncan | Kaivo, Inc. | [EMAIL PROTECTED] `--> ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in performance
call the daatabase query in an external method and convert the result to a simple object (like a dictionary), then pass that back and iterate over it jens on 4/4/01 20:54, Brett Carter at [EMAIL PROTECTED] wrote: > What can I do to maximize the peformance of a dtml-in statement? > When iterating over a 2000 row database query, it takes about 20 > seconds - time mostly spent doing security checks, and calling > __getitem__ in DT_InSV.py. Is the performance of dtml-in just slow? > -Brett > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in performance
Yes, but iterating over a list of 2000 rows is a long process. Things like using mapping slow it down even further as you get each column. Less rows will make all the difference. - Original Message - From: "Brett Carter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 04, 2001 5:54 PM Subject: [Zope-dev] dtml-in performance > What can I do to maximize the peformance of a dtml-in statement? > When iterating over a 2000 row database query, it takes about 20 > seconds - time mostly spent doing security checks, and calling > __getitem__ in DT_InSV.py. Is the performance of dtml-in just slow? > -Brett > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in: next-batches
Brett Carter writes: > I tried accessing keys off the 'data' object, and I just get an > 'unathorized' error. > Dieter> The attributes your are looking for are in fact keys > Dieter> of the mapping 'data'. Sorry for the misleading answer. "data" is not supposed to be used directly. "next-batches" returns a sequence of "DocumentTemplate.DT_In_SV.sequence_variables". Each "sequence_variables" object behaves like a mapping and exposes the items of its "data" member (and some more items derived from them), among them "batch-start-index", 'batch-end-index', and 'batch-size'. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] dtml-in: next-batches
I found this in some Zope documentation. It wont give you "1,2,3,4,5...10" it gives "(1-10)(11-20)(21-30)...". Monkey with it a little and you'll get it. Beware it will call your External Method or ZSQL as many times/10. , ( - ) , ( - ) )"> -Bryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brett Carter Sent: Wednesday, March 07, 2001 6:34 PM To: [EMAIL PROTECTED] Subject: [Zope-dev] dtml-in: next-batches Does anybody have an example of how to use the supposed next-batches mapping returned by dtml-in? I'm trying to build a google-like pageing feature into my application, so we just show the first 5 results, then have a link to each next page, ie "1,2,3,4..." Thanks, -Brett ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in: next-batches
I tried accessing keys off the 'data' object, and I just get an 'unathorized' error. -Brett > "Dieter" == Dieter Maurer <[EMAIL PROTECTED]> writes: Dieter> Brett Carter writes: >> I'm running Zope 2.2.2, and I'm trying to use the batching stuff for >> the dtml-in tag, however, I can't seem to access any attributes off >> the 'next-batches' or 'previous-batches' mapping object that's >> supposed to be available, with the attributes 'batch-start-index', >> 'batch-end-index', and 'batch-size'. >> >> I wrote an external method to dir the 'next-batches' object, and it >> seems the only attributes available are: >> ['data', 'items', 'query_string', 'start_name_re'] Dieter> The attributes your are looking for are in fact keys Dieter> of the mapping 'data'. Dieter> Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in: next-batches
Brett Carter writes: > I'm running Zope 2.2.2, and I'm trying to use the batching stuff for > the dtml-in tag, however, I can't seem to access any attributes off > the 'next-batches' or 'previous-batches' mapping object that's > supposed to be available, with the attributes 'batch-start-index', > 'batch-end-index', and 'batch-size'. > > I wrote an external method to dir the 'next-batches' object, and it > seems the only attributes available are: > ['data', 'items', 'query_string', 'start_name_re'] The attributes your are looking for are in fact keys of the mapping 'data'. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in: next-batches
I've also discovered that setting overlap = 0 actually causes everything to overlap by 1. I didn't see anything in the collector about this either... -Brett > "Brett" == Brett Carter <[EMAIL PROTECTED]> writes: Brett> I'm running Zope 2.2.2, and I'm trying to use the batching stuff for Brett> the dtml-in tag, however, I can't seem to access any attributes off Brett> the 'next-batches' or 'previous-batches' mapping object that's Brett> supposed to be available, with the attributes 'batch-start-index', Brett> 'batch-end-index', and 'batch-size'. However, my example code (see Brett> below) blows up with a key error when trying to access any of these. Brett> Is this a bug, or am I just misunderstanding how to use this thing? Brett> I wrote an external method to dir the 'next-batches' object, and it Brett> seems the only attributes available are: Brett> ['data', 'items', 'query_string', 'start_name_re'] Brett> -Brett Brett> Brett> Brett> Brett> Brett> Brett> Brett> Previous Brett> Brett> Brett> Brett> Brett> Brett> Brett> Brett> Brett> Brett> Brett> Brett> Brett> Brett> Next Brett> Brett> Brett> ___ Brett> Zope-Dev maillist - [EMAIL PROTECTED] Brett> http://lists.zope.org/mailman/listinfo/zope-dev Brett> ** No cross posts or HTML encoding! ** Brett> (Related lists - Brett> http://lists.zope.org/mailman/listinfo/zope-announce Brett> http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML Documents/Folders in ZClasses fail to accessanything
Steve Alexander wrote: >Itai Tavor wrote: > >>Hi, >> >>I got a ZClass 'Test', with a DTML Method 'view' containing >>, and a DTML Document 'view2' with the same line. >>instance/view works. instance/view2 returns (ZDebug output): > >From SimpleItem.py: > >"""Direct use of the 'id' attribute is deprecated - use getId()""" > >The difference you're seeing is because the DTML Method is acquiring the >id attribute, whereas you're getting the DTML Document's own id >attribute. Thanks, but it's got nothing to do with getId... I just used id because it's easy to write. I get the same behavior if I try to view meta_type, or a property that is defined on a propertysheet in the ZClass. And the fact that the DTML Document uses its own attributes shouldn't cause Unauthorized, should it? It should just show a different attribute, or acquire the attribute if it doesn't have it. I just tried it again with a clean install of Zope 2.3.0. In a DTML Document, this works (name is a property in the ZClass propertysheet): But these fail with Unauthorized: , . The in standard_html_header fails as well. I also repeated the folder test: In a DTML Method stored inside a folder in the ZClass, works, but fails. So what do we have? I can't use title_or_id on DTML Documents, so it's useless for use in standard_html_header (and title_or_id uses getId, so it should work). I can't access ZClass properties from the DTML Document unless I use dtml-with - meaning no acquisition. And I can't access properties of the DTML Document (like meta_type) unless they are accessed using a method call (like getId()). This can't be right. I find it hard to believe that if this is really a bug, it didn't bother anybody else until now. On the other hand, these tests seem to show a problem with security checks on objects in ZClasses that create their own context. So what am I still missing here? Itai -- -- Itai Tavor -- "Je sautille, donc je suis."-- [EMAIL PROTECTED]-- - Kermit the Frog -- -- -- -- "If you haven't got your health, you haven't got anything" -- ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML Documents/Folders in ZClasses fail to access anything
Itai Tavor writes: > I got a ZClass 'Test', with a DTML Method 'view' containing id>, and a DTML Document 'view2' with the same line. instance/view > works. instance/view2 returns (ZDebug output): > > Error type: Unauthorized > Error value: The object /test/view2, which is contained in > /test/view2, is marked as private. I would check the ZClass's "Access Contents Information" permission mapping. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML Documents/Folders in ZClasses fail to access anything
Itai Tavor wrote: > Hi, > > I got a ZClass 'Test', with a DTML Method 'view' containing id>, and a DTML Document 'view2' with the same line. instance/view > works. instance/view2 returns (ZDebug output): >From SimpleItem.py: """Direct use of the 'id' attribute is deprecated - use getId()""" The difference you're seeing is because the DTML Method is acquiring the id attribute, whereas you're getting the DTML Document's own id attribute. -- Steve Akexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching
[EMAIL PROTECTED] wrote: > Well that's odd - I searched the collector for "dtml-in" and got no > matches. that's because of the - in dtml-in being treated as a stop character by ZCatalog. Ironically, ZCatalog is not very good at indexing stuff that contains documentation about Zope, stripping out characters like _ - and . :-S cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML block parsing
Casey Duncan wrote: > > OK, I have developed a new patch that almost completely fixes this > issue. In fact I am happier with it in general than my first patch. > There is only one flaw, although you can nest comments inside of one > another, and you can have any manner of broken dtml inside, if you open > another comment tag inside it, it must be properly balanced or you will > get a parse error. Here are some examples: > I am a bit concerned that should ever generate errors at > all, but this is certainly an improvement. Anybody have any thoughts? I'm very happy with the way you describe the patched tag works. I'll try it out when I return from the EuroZope meeting in Amsterdam. I don't think it is reasonable to try to catch unbalanced dtml-comment tags. In fact, I like the fact that it will raise an error if I leave them unbalanced. Thanks. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching
On 24 Jan 2001, at 11:15, [EMAIL PROTECTED] wrote: > Brad Clements wrote: > > I posted this same bug AND a patch as bug # 1566 on Aug 28th, 2000. > > > > http://classic.zope.org:8080/Collector/1566/view > > > > Sad to see its *still* pending > > Well that's odd - I searched the collector for "dtml-in" and got no > matches. A search for "renderwb" (which is in the title) works. Looks like > it doesn't search the description after all. Boo to the search engine. > > Just curious: why specify the browser/platform/python version stuff when > the problem is independant of those things? > Because I'm Anal Retentive. Also figured perhaps my entry would be ignored without that information. Or worse the form would be rejected on submit because those fields where blank AND it wouldn't remember what I'd put in AND back would fail. So, I filled out the form entirely. Brad Clements,[EMAIL PROTECTED] (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching
Brad Clements wrote: > On 24 Jan 2001, at 9:43, [EMAIL PROTECTED] wrote: > > Tres Seaver wrote: > > > > Please post this as a "Bug w/ patch" to the Collector: > > > > > > http://classic.zope.org:8080/Collector > > > > > > That way we don't lose your fix in the list traffic (losing it > > > along with our marbles is another problem :) > > > >Someone else responded to the list saying that he'd already done it. > > There was no match to my search of dtml-in though, so I've submitted a new > > bug report. > > I posted this same bug AND a patch as bug # 1566 on Aug 28th, 2000. > > http://classic.zope.org:8080/Collector/1566/view > > Sad to see its *still* pending Well that's odd - I searched the collector for "dtml-in" and got no matches. A search for "renderwb" (which is in the title) works. Looks like it doesn't search the description after all. Boo to the search engine. Just curious: why specify the browser/platform/python version stuff when the problem is independant of those things? Richard ps. Brad, sorry I referred to you as "someone else" - I lost the email with your name in it ;) -- Richard Jones [EMAIL PROTECTED] Senior Software Developer, Bizar Software (www.bizarsoftware.com.au) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching
On 24 Jan 2001, at 9:43, [EMAIL PROTECTED] wrote: > Tres Seaver wrote: > > Please post this as a "Bug w/ patch" to the Collector: > > > > http://classic.zope.org:8080/Collector > > > > That way we don't lose your fix in the list traffic (losing it > > along with our marbles is another problem :) > >Someone else responded to the list saying that he'd already done it. > There was no match to my search of dtml-in though, so I've submitted a new > bug report. I posted this same bug AND a patch as bug # 1566 on Aug 28th, 2000. http://classic.zope.org:8080/Collector/1566/view Sad to see its *still* pending Brad Clements,[EMAIL PROTECTED] (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching
On Wed, 24 Jan 2001 [EMAIL PROTECTED] wrote: > Tres Seaver wrote: > > > Please post this as a "Bug w/ patch" to the Collector: > > > > http://classic.zope.org:8080/Collector > > > > That way we don't lose your fix in the list traffic (losing it > > along with our marbles is another problem :) > > Someone else responded to the list saying that he'd already > done it. There was no match to my search of dtml-in though, so > I've submitted a new bug report. Thanks very much! Tres. -- === Tres Seaver[EMAIL PROTECTED] Digital Creations "Zope Dealers" http://www.zope.org ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching
Tres Seaver wrote: > > [EMAIL PROTECTED] wrote: > > [EMAIL PROTECTED] wrote: > > > > > > The dtml-in batching mechanisms are quite difficult to debug - the DTML > > > documentation I have has examples which break it and there's no indication > > > of why. It turns out the DT_In renderwb() code gobbles all exceptions from > > > the rendering of the previous and next blocks. I've hacked my code so that > > > there's no try/except clause any more. I'm not sure what exception it's > > > trying to catch, but could it perhaps be made a little more picky? > > > > And here's a diff - I'm pretty sure this was the intended behaviour... > > Please post this as a "Bug w/ patch" to the Collector: > > http://classic.zope.org:8080/Collector > > That way we don't lose your fix in the list traffic (losing it > along with our marbles is another problem :) Someone else responded to the list saying that he'd already done it. There was no match to my search of dtml-in though, so I've submitted a new bug report. Richard -- Richard Jones [EMAIL PROTECTED] Senior Software Developer, Bizar Software (www.bizarsoftware.com.au) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML block parsing
Casey Duncan wrote: > > Steve Alexander wrote: > > With your patch applied, will nested dtml-comment tags still work? > > > > > >Some code commented out > > > >Documentation in a comment > > > >Rest of code commented out > > > > > > -- > > Steve Alexander > > Software Engineer > > Cat-Box limited > > http://www.cat-box.net > > In present form no. It also does not support block continuation tags. > > I will see what I can do about this. OK, I have developed a new patch that almost completely fixes this issue. In fact I am happier with it in general than my first patch. There is only one flaw, although you can nest comments inside of one another, and you can have any manner of broken dtml inside, if you open another comment tag inside it, it must be properly balanced or you will get a parse error. Here are some examples: These do not generate errors with my new patch: Blah Blah These do: I am a bit concerned that should ever generate errors at all, but this is certainly an improvement. Anybody have any thoughts? -- | Casey Duncan | Kaivo, Inc. | [EMAIL PROTECTED] `--> ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML block parsing
Steve Alexander wrote: > With your patch applied, will nested dtml-comment tags still work? > > >Some code commented out > >Documentation in a comment > >Rest of code commented out > > > -- > Steve Alexander > Software Engineer > Cat-Box limited > http://www.cat-box.net In present form no. It also does not support block continuation tags. I will see what I can do about this. -- | Casey Duncan | Kaivo, Inc. | [EMAIL PROTECTED] `--> ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML block parsing
Casey Duncan wrote: > > If not, I will make a patch for DT_String to support this. The > beneficial side affect would be that could be "fixed" so > that its contents need not be parsable anymore, just like every other > language I know of. With your patch applied, will nested dtml-comment tags still work? Some code commented out Documentation in a comment Rest of code commented out -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching
[EMAIL PROTECTED] wrote: > [EMAIL PROTECTED] wrote: > > > > The dtml-in batching mechanisms are quite difficult to debug - the DTML > > documentation I have has examples which break it and there's no indication > > of why. It turns out the DT_In renderwb() code gobbles all exceptions from > > the rendering of the previous and next blocks. I've hacked my code so that > > there's no try/except clause any more. I'm not sure what exception it's > > trying to catch, but could it perhaps be made a little more picky? > > And here's a diff - I'm pretty sure this was the intended behaviour... Please post this as a "Bug w/ patch" to the Collector: http://classic.zope.org:8080/Collector That way we don't lose your fix in the list traffic (losing it along with our marbles is another problem :) Tres. -- === Tres Seaver[EMAIL PROTECTED] Digital Creations "Zope Dealers" http://www.zope.org ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching
This was submitted to the collect quite a while ago as a bug.. Also I submitted a patch about 2 months ago for this, about the same patch as yours. On 22 Jan 2001, at 12:03, [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] Date sent: Mon, 22 Jan 2001 12:03:14 +1100 To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Subject: Re: [Zope-dev] dtml-in batching > [EMAIL PROTECTED] wrote: > > > > The dtml-in batching mechanisms are quite difficult to debug - the DTML > > documentation I have has examples which break it and there's no > > indication of why. It turns out the DT_In renderwb() code gobbles all > > exceptions from the rendering of the previous and next blocks. I've > > hacked my code so that there's no try/except clause any more. I'm not > > sure what exception it's trying to catch, but could it perhaps be made a > > little more picky? > > And here's a diff - I'm pretty sure this was the intended behaviour... > > > *** /tmp/DT_In.py.origMon Jan 22 12:00:53 2001 > --- DT_In.py Mon Jan 22 12:00:58 2001 > *** > *** 561,566 > --- 561,570 > # there are more items, without actually > # computing a length: > sequence[end] > + except IndexError: > + if self.elses: result=render(self.elses, md) > + else: result='' > + else: > pstart,pend,psize=opt(end+1-overlap,0, > sz,orphan,sequence) > kw['next-sequence']=1 > *** > *** 568,576 > kw['next-sequence-end-index']=pend-1 > kw['next-sequence-size']=pend+1-pstart > result=render(section,md) > - except: > - if self.elses: result=render(self.elses, md) > - else: result='' > else: > result = [] > append=result.append > --- 572,577 > > > -- > Richard Jones > [EMAIL PROTECTED] > Senior Software Developer, Bizar Software (www.bizarsoftware.com.au) > Brad Clements,[EMAIL PROTECTED] (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML block parsing
On Monday 22 January 2001 08:54, Casey Duncan wrote: > I am working on a custom DTML tag (that I may unleash on the world when > finished) that has brought to my attention an interesting feature of the > DTML parser: > > It preparses everything in the block(s) between the start and end tags > before the document containing the code is committed. > > My tag is a little different in that I don't want to put DTML inside it, > therefore this parsing is undesirable. There is however one built-in tag > that this is true for as well: . Many a thread has been > burned about that issue. i've been bitten by this 'feature' as well. i hacked out a bad solution where i checked the length of the block, and raised an error if it was larger than one. but this didn't solve the problem that the nested dtml was still evaluated. which troubles me since i think it could be a security problem in the context of my tag. > I propose a change to DT_String to allow a tag to turn off this > preparsing feature. It should be easy enough to implement by adding a > class attribute to the tag class such as disable_dtml_block_parsing = 1. > Is this abhorrent to anyone? sounds good to me. > If not, I will make a patch for DT_String to support this. The > beneficial side affect would be that could be "fixed" so > that its contents need not be parsable anymore, just like every other > language I know of. cool. Kapil Thangavelu ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching
[EMAIL PROTECTED] wrote: > > The dtml-in batching mechanisms are quite difficult to debug - the DTML > documentation I have has examples which break it and there's no indication > of why. It turns out the DT_In renderwb() code gobbles all exceptions from > the rendering of the previous and next blocks. I've hacked my code so that > there's no try/except clause any more. I'm not sure what exception it's > trying to catch, but could it perhaps be made a little more picky? And here's a diff - I'm pretty sure this was the intended behaviour... *** /tmp/DT_In.py.orig Mon Jan 22 12:00:53 2001 --- DT_In.pyMon Jan 22 12:00:58 2001 *** *** 561,566 --- 561,570 # there are more items, without actually # computing a length: sequence[end] + except IndexError: + if self.elses: result=render(self.elses, md) + else: result='' + else: pstart,pend,psize=opt(end+1-overlap,0, sz,orphan,sequence) kw['next-sequence']=1 *** *** 568,576 kw['next-sequence-end-index']=pend-1 kw['next-sequence-size']=pend+1-pstart result=render(section,md) - except: - if self.elses: result=render(self.elses, md) - else: result='' else: result = [] append=result.append --- 572,577 -- Richard Jones [EMAIL PROTECTED] Senior Software Developer, Bizar Software (www.bizarsoftware.com.au) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in batching
[EMAIL PROTECTED] wrote: > > The dtml-in batching mechanisms are quite difficult to debug - the DTML > documentation I have has examples which break it and there's no indication > of why. It turns out the DT_In renderwb() code gobbles all exceptions from > the rendering of the previous and next blocks. I've hacked my code so that > there's no try/except clause any more. I'm not sure what exception it's > trying to catch, but could it perhaps be made a little more picky? Re-glancing at the code shows me that this is only the case for the next block. Sorry about that. -- Richard Jones [EMAIL PROTECTED] Senior Software Developer, Bizar Software (www.bizarsoftware.com.au) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML Documents == DTML Methods that are anchored?
The Doctor What writes: > What are the differences between DTML Documents and Methods > internally? There are too small differences: 1. DTML documents implement the "PropertyManager" interface, i.e. they can have properties other than "id" and "title". 2. DTML documents place themselves on top of the DTML namespace when they are rendered (called), DTML methods do not place themselves on the namespace at all for rendering. The effect is that during name lookup a DTML Document is asked early whether it (or its acquisition ancestors) can satisfy the name request. If it can, you get this object. A DTML Method, on the other hand, would not be asked in a similar situation, as it is not on the namespace stack. This means, name lookup looks through the DTML Method directly onto the method's client, the Method is completely transparent. A DTML Document is only partially transparent, it hides all names that it or its acquisition ancestors define. Only the other names are handled in the same way as would be the case for a DTML method. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML Documents == DTML Methods that are anchored?
You should look through the mailing lists there is generous amounts of answers to this. For me the two sit philosophically linked in the acquisition model. Acquisition is partially about actions working in environments, with the environment decribing the quality of the result. You can think of a DTMLMethod as an action, who itself has no substrate, i.e. properties, and DTMLDocuments as substrate, i.e. it contains properties etc, for example background colour, types of animals, whatever. One can then throw a method around into different environments, i.e. call it on documents, and one will get a result that is dependent on that environment(document). It is also nice that environments can acquire from their surrounding too, so you should think of acquisition in DTMLDocuments as been for more and more global properties as one moves out, eg: a company logo. Whereas acquisition for a method is to actually acquire an environment to work in. Well that's the way I view it, and it helps. Matt On Sat, 30 Dec 2000, The Doctor What wrote: > What are the differences between DTML Documents and Methods > internally? I was just thinking about the problems every new user > (and experienced users, every so often) have regarding DTML > Documents vs DTML Methods. > > Aren't they really the same except that Documents are anchored (ie, > don't allow aquisition from the caller, but only from the location > of the Document)? > > If that is true, couldn't they be simplified as a (example name) > DTML Object that had an "anchor" flag? > > Just a thought. > > Ciao! > > -- > So Buddha walks into a pizza parlor and says: "Hey, make me one with everything." > > The Doctor What: Need I say more?http://docwhat.gerf.org/ > [EMAIL PROTECTED] KF6VNC > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) -- ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML processing variable
If this is your exact code, it looks like you should be using "sequence-item", instead of "sequence_item". You should also be able to do it without the external method like this: (100% untested) "David W. Damon" wrote: > > Hey all, > > I'm having difficulty getting dtml-in to iterate over a list of strings > returned from an external python method. > > Essentially, I have a string that is comprised of the contents of an HTML text > area. I need to split the string into a list of words and iterate over this > list. > > My external python method is this: > > def stringSplit( self, theString ): > return string.split( theString ) > > Heres the pertinent DTML. > > --- > > > > > > > > --- > > If I comment out the dtml-in block, i have a userList variable in the REQUEST > object that is something like: ['name1', 'name2', 'name3'] > > Any ideas? > > -- dave > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) -- Paul Erickson | [EMAIL PROTECTED] Kaivo, Inc. | www.kaivo.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] dtml-var tag suggestion
Thanks, that works good. It also escapes any special characters in the string, an added bonus. The only case I found where a new format option would work better is if you use the dtml-var size option to limit the size of the string. I will continue to play with it and see what I come up with. Perhaps an option to back_quote should be added to dtml-var to eliminate somewhat hairy looking expressions like this (taken from my code): I never thought I would use every type of quotation mark in a single expression! 8^) Thanks! -Casey D. -Original Message- From: Duncan Booth [mailto:[EMAIL PROTECTED]] Sent: Monday, July 31, 2000 10:09 AM To: Casey Duncan; [EMAIL PROTECTED] Subject: Re: [Zope-dev] dtml-var tag suggestion > I have been using dtml to create dynamic JavaScripts for some forms I am > creating. In doing this I came upon the standard problem of inserting > strings containing double quotes into a JavaScript such as where title = > '"Quoted String"': > > form.select.options[0].text = ""; > > And you wind up with this rendered: > > form.select.options[0].text = ""Quoted String""; > Given that, like Python, javascript accepts strings either single or double quoted, you could try using backquotes to escape the string: form.select.options[0].text = ; should (untested) give you: form.select.options[0].text = '"Quoted String"'; Provided title is a string, this will escape any quotes and, for that matter, unprintable characters, and wrap either single or double quotes round the outside. If title is a method then you need to call it first: -- Duncan Booth [EMAIL PROTECTED] int month(char *p){return(124864/((p[0]+p[1]-p[2]&0x1f)+1)%12)["\5\x8\3" "\6\7\xb\1\x9\xa\2\0\4"];} // Who said my code was obscure? http://dales.rmplc.co.uk/Duncan ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-var tag suggestion
> I have been using dtml to create dynamic JavaScripts for some forms I am > creating. In doing this I came upon the standard problem of inserting > strings containing double quotes into a JavaScript such as where title = > '"Quoted String"': > > form.select.options[0].text = ""; > > And you wind up with this rendered: > > form.select.options[0].text = ""Quoted String""; > Given that, like Python, javascript accepts strings either single or double quoted, you could try using backquotes to escape the string: form.select.options[0].text = ; should (untested) give you: form.select.options[0].text = '"Quoted String"'; Provided title is a string, this will escape any quotes and, for that matter, unprintable characters, and wrap either single or double quotes round the outside. If title is a method then you need to call it first: -- Duncan Booth [EMAIL PROTECTED] int month(char *p){return(124864/((p[0]+p[1]-p[2]&0x1f)+1)%12)["\5\x8\3" "\6\7\xb\1\x9\xa\2\0\4"];} // Who said my code was obscure? http://dales.rmplc.co.uk/Duncan ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in: sort is not locale-aware
Oleg Broytmann wrote: > > Hello! > >Currently dtml-in does not use locale when sorting the sequence. Before > creating a patch I want to discuss a way dtml-in should handle this. The > problem is that list.sort() does not sort according to koi8-r cyrillic > locale; to make sort locale-aware I need to list.sort(locale.strcoll). >But how I could ask dtml-in to use locale.strcoll? Should I add another > option to dtml-in? Something like > ? I use A bit slower but works like hammer. Mike ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] dtml-in: sort is not locale-aware
On Tue, 20 Jun 2000, mike wrote: > >But how I could ask dtml-in to use locale.strcoll? Should I add another > > option to dtml-in? Something like > > ? > > I use > A bit slower but works like hammer. I want to use all power of dtml-in and other zope tools. There are things where I can just write my functions and methods; and there are cases so general that it's more correct to extend zope functionality. Do you know that latest version of Zope can sort by multiple keys? How do you extend your ru_sort() to reflect the change? Oleg.(All opinions are mine and not of my employer) Oleg Broytmann Foundation for Effective Policies [EMAIL PROTECTED] Programmers don't die, they just GOSUB without RETURN. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML DTD (or DTML mode for EMACS)?
Stephan Richter wrote: > > At 01:30 PM 6/20/00 +0800, you wrote: > >Does anybody have subject? > > Well, I use SGML-MODE. Works for me. Which DTD do you use? If I have 'ignore undefined elements' option set it does not indent tags properly (of course). If I unset this option, 'normalize' command removes all content of tags. Mike ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML tag creation.
Bill Anderson wrote: > I am about to dive into a custom tag, it will be a 'container' tag. > I have seen the HowTo, and it really isn't that clear when you get to > the container tag info. > > Can anyone provide a better rundown? Anyone have a custom tag they > would mind sharing for perusal? > Just trying to save myself sometime. Not a container tag, but check out http://www.zope.org/Members/noa/SpellChecker - me and Noa wrote this a while back. A spellchecker interface written in DTML is not a pretty sight, but you do learn DTML really quickly :) -- Itamar S.T. [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )