Re: [Zope-dev] dtml-try with z-sql

[Tres Seaver]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/01/2013 04:27 AM, murat bilal wrote:

> I have DTML-Method like below   "deleteUser(USERNAME=USERNAME)">
> 
>  An error occurred. Entry was NOT deleted. 
> 
> 
> deleteUser is Z-SQL method.USERNAME is the argument in Z-SQL method
> also column name. When i click erase button it succesfully deletes
> record.But if i enter an invalid username it did not throw any
> exceptions.


This issue is unrelated to DTML / ZSQLMethods.  SQL statements like the
following::

 DELETE FROM some_table WHERE id = 123;

don't cause exceptions to be raised for an unknown value like 123;  they
just affect no rows.  If you need an error raised, you need to do
something like create a stored procedure on the server which does that.



Tres.
- -- 
===
Tres Seaver  +1 540-429-0999  tsea...@palladion.com
Palladion Software   "Excellence by Design"http://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlEL7m8ACgkQ+gerLs4ltQ5uVgCfYRw7x3XAfwsdoFkJCNZm1U3H
DKgAoLT358rI08s8GMwanffFV4jT4f8Y
=StFb
-END PGP SIGNATURE-

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-try with z-sql

[Jian Aijun]

I'm not familiar with DTML.

In my opinion:

deleteUser(USERNAME=invalid USERNAME)

Does not throw an exception,

Should be judged through a function return value.


2013/2/1 Jian Aijun 

> I'm not familiar with DTML,
> I would like to:
>
> deleteUser(USERNAME=invalid USERNAME)
>
> Does not throw an exception,
>
> Should be judged through a function return value.
>
>
> 2013/2/1 murat bilal 
>
>> Hi all,
>>
>> I have DTML-Method like below
>> 
>> 
>>
>>
>>  An error occurred. Entry was NOT deleted.
>> 
>>
>> deleteUser is Z-SQL method.USERNAME is the argument in Z-SQL method also
>> column name.
>> When i click erase button it succesfully deletes record.But if i enter an
>> invalid username it did not throw any exceptions.
>>
>> Please help
>>
>> REgards
>>
>> ___
>> Zope-Dev maillist  -  Zope-Dev@zope.org
>> https://mail.zope.org/mailman/listinfo/zope-dev
>> **  No cross posts or HTML encoding!  **
>> (Related lists -
>>  https://mail.zope.org/mailman/listinfo/zope-announce
>>  https://mail.zope.org/mailman/listinfo/zope )
>>
>>
>
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-try with z-sql

[Jian Aijun]

I'm not familiar with DTML,
I would like to:

deleteUser(USERNAME=invalid USERNAME)

Does not throw an exception,

Should be judged through a function return value.


2013/2/1 murat bilal 

> Hi all,
>
> I have DTML-Method like below
> 
> 
>
>
>  An error occurred. Entry was NOT deleted.
> 
>
> deleteUser is Z-SQL method.USERNAME is the argument in Z-SQL method also
> column name.
> When i click erase button it succesfully deletes record.But if i enter an
> invalid username it did not throw any exceptions.
>
> Please help
>
> REgards
>
> ___
> Zope-Dev maillist  -  Zope-Dev@zope.org
> https://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  https://mail.zope.org/mailman/listinfo/zope-announce
>  https://mail.zope.org/mailman/listinfo/zope )
>
>
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-sendmail issue

[Christopher Lozinski]

Break the problem up.  First thing to do is to check if sendmail is
working from the file system.

on unix

mail m...@mydomain.com

If that breaks, you know what to fix.  If that works, double check your
configurations on your mailhost object.

And finally try just a 3 line sendmail file. 

I have used dtml-sendmail a lot over the years.  As far as I know it has
always worked fine.   Trust it,
but not the code you have written, and you should be able to get it
fixed quickly. 

-- 
Regards
Christopher Lozinski

Check out my iPhone apps TextFaster and EmailFaster
http://textfaster.com

Expect a paradigm shift.
http://MyHDL.org

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-sendmail issue

[Tres Seaver]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/02/2011 11:35 AM, Babylakshmi Muthusamy wrote:

> I tried to send mail through SMTP localhost using dtml-sendmail. It 
> was working fine for many days. Currently it is not sending mails. 
> Could you please provide me pointers to debug this issue?

Does your code fail with an exception?  If so, please provide the
traceback (you should be able to get it from the 'error_log' object in
your site).

If not, then likely the problem is with the MTA you have running on your
machine:  maybe its configuration changed?



Tres.
- -- 
===
Tres Seaver  +1 540-429-0999  tsea...@palladion.com
Palladion Software   "Excellence by Design"http://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4PQdcACgkQ+gerLs4ltQ40FACgsPjjFI/fRnUsvUnrhknXATT/
n8MAniNjRYyEmnKshz2z1Z0fQ6VyZIXL
=+Spv
-END PGP SIGNATURE-

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML is dead, long live DTML ;-)

[Hanno Schlichting]

On Sun, Sep 5, 2010 at 1:28 PM, Tim Hoffman  wrote:
> So I was looking for zope eco system based non html/xml based templating
> systems as a response to Martin
> saying DTML is dead, as I am currently using DTML for these sorts of tasks.

The Zope eco system for such tasks is the same as the wider Python eco
system these days. There's absolutely no need to stick with a
Zope-only approach anymore.

string.Template, Jinja2 and Mako all seem to be well maintained
templating solutions you could use. DTML is definitely dead as far as
open-source software can die.

Hanno
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML is dead, long live DTML ;-)

[Florian Friesdorf]

On Sun, Sep 05, 2010 at 11:13:05AM +0800, Tim Hoffman wrote:
> Hi Florian
> 
> I use a model based generation approach (from enterprise architect) however
> even archgenxml has templates for large amounts of  boiler plate under the
> hood.
> 
> Have you actually looked at the src of archgenxml, if you did you will
> notices it uses dtml for templating the code output ;-)

Once did, but wasn't aware of any dtml, come to think of it, there is
some reason to it ;)

-- 
Florian Friesdorf 
  GPG FPR: EA5C F2B4 FBBB BA65 3DCD  E8ED 82A1 6522 4A1F 4367
Jabber/XMPP: f...@chaoflow.net
IRC: chaoflow on freenode,ircnet,blafasel,OFTC


pgp9485K58h0p.pgp
Description: PGP signature
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML is dead, long live DTML ;-)

[Tim Hoffman]

Hi Laurence

I think you missed my point.  I was talking about generating code (sql as
DDL for instance)
not sql statements.  I use Enterprise architect to model the application in
UML for the data model,
entity model, I generate  generate storm schema and DDL for accessing the
database from the model.
And much of the model is originally reverse engineered from the RDBMS by EE.


And usually the RDBMS is pre-existing, not a new thing.  So the schema of
the RDBMS is fixed.

So I was looking for zope eco system based non html/xml based templating
systems as a response to Martin
saying DTML is dead, as I am currently using DTML for these sorts of tasks.

T

On Sun, Sep 5, 2010 at 6:47 PM, Laurence Rowe  wrote:

> On 5 September 2010 02:49, Tim Hoffman  wrote:
> >>>
> >>
> >> Please note that DTML is a dead (and horrid) technology.
> >> Martin
> >
> > But zpt is horrible for doing non html/xml based things ;-), What do you
> > think is good alternative in the zope eco system now
> > for templating other types of things (sql, python ...) ?
>
> If you don't need conditions or looping, then string.Template from the
> standard library is a reasonable choice. For templating SQL I would
> use SQLAlchemy, as you want appropriate quoting applied to your input.
> (You don't have to use it's ORM).
>
> Laurence
>
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML is dead, long live DTML ;-)

[Laurence Rowe]

On 5 September 2010 02:49, Tim Hoffman  wrote:
>>>
>>
>> Please note that DTML is a dead (and horrid) technology.
>> Martin
>
> But zpt is horrible for doing non html/xml based things ;-), What do you
> think is good alternative in the zope eco system now
> for templating other types of things (sql, python ...) ?

If you don't need conditions or looping, then string.Template from the
standard library is a reasonable choice. For templating SQL I would
use SQLAlchemy, as you want appropriate quoting applied to your input.
(You don't have to use it's ORM).

Laurence
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML is dead, long live DTML ;-)

[Tim Hoffman]

HI Vincent.

I haven't looked an jinja to date. Will definately have a look at it.

I generate a lot of code (sql, gae models, storm schema, formish schema's)
from Enterprise Architect, and
currently using dtml for all non html/xml output.

 Cheers

T

On Sun, Sep 5, 2010 at 3:35 PM, Vincent Fretin wrote:

> Hi,
>
> For AGX3, we started to use Jinja for the template, for example for
> the generation of setup.py, we have:
>
> version = '{{version}}'
>
> setup(name='{{project}}',
>  version=version,
>  description="{{description}}",
> ...
>
> The syntax is simpler than dtml we use in AGX2:
> 
>
> Vincent
>
>
> On Sun, Sep 5, 2010 at 5:13 AM, Tim Hoffman  wrote:
> > Hi Florian
> > I use a model based generation approach (from enterprise architect)
> however
> > even archgenxml has templates for large amounts of  boiler plate under
> the
> > hood.
> > Have you actually looked at the src of archgenxml, if you did you will
> > notices it uses dtml for templating the code output ;-)
>
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML is dead, long live DTML ;-)

[Vincent Fretin]

Hi,

For AGX3, we started to use Jinja for the template, for example for
the generation of setup.py, we have:

version = '{{version}}'

setup(name='{{project}}',
  version=version,
  description="{{description}}",
...

The syntax is simpler than dtml we use in AGX2:


Vincent


On Sun, Sep 5, 2010 at 5:13 AM, Tim Hoffman  wrote:
> Hi Florian
> I use a model based generation approach (from enterprise architect) however
> even archgenxml has templates for large amounts of  boiler plate under the
> hood.
> Have you actually looked at the src of archgenxml, if you did you will
> notices it uses dtml for templating the code output ;-)
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML is dead, long live DTML ;-)

[Tim Hoffman]

Hi Florian

I use a model based generation approach (from enterprise architect) however
even archgenxml has templates for large amounts of  boiler plate under the
hood.

Have you actually looked at the src of archgenxml, if you did you will
notices it uses dtml for templating the code output ;-)

T

On Sun, Sep 5, 2010 at 9:11 AM, Florian Friesdorf  wrote:

> On Sun, Sep 05, 2010 at 08:49:39AM +0800, Tim Hoffman wrote:
> > >
> > >
> > >>
> > > Please note that DTML is a dead (and horrid) technology.
> > >
> > > Martin
> > >
> >
> > But zpt is horrible for doing non html/xml based things ;-), What do you
> > think is good alternative in the zope eco system now
> > for templating other types of things (sql, python ...) ?
>
> I would use a templating system for things that are easy to template
> (html/xml) and where more complex logic can be offloaded to a real
> programming language like python (as zpt does).
>
> Using a templating system for a programming language is I think a
> different programming paradigm than zope's component architecture and
> contrary to code reusage. With code generators like ArchGenXML or agx
> you are able to create models for your software on a more abstract level
> than based on templating, so I would not use templating but model-based
> code generation instead.
>
>
> florian
>
> --
> Florian Friesdorf 
>  GPG FPR: EA5C F2B4 FBBB BA65 3DCD  E8ED 82A1 6522 4A1F 4367
> Jabber/XMPP: f...@chaoflow.net
> IRC: chaoflow on freenode,ircnet,blafasel,OFTC
>
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML is dead, long live DTML ;-)

[Florian Friesdorf]

On Sun, Sep 05, 2010 at 08:49:39AM +0800, Tim Hoffman wrote:
> >
> >
> >>
> > Please note that DTML is a dead (and horrid) technology.
> >
> > Martin
> >
> 
> But zpt is horrible for doing non html/xml based things ;-), What do you
> think is good alternative in the zope eco system now
> for templating other types of things (sql, python ...) ?

I would use a templating system for things that are easy to template
(html/xml) and where more complex logic can be offloaded to a real
programming language like python (as zpt does).

Using a templating system for a programming language is I think a
different programming paradigm than zope's component architecture and
contrary to code reusage. With code generators like ArchGenXML or agx
you are able to create models for your software on a more abstract level
than based on templating, so I would not use templating but model-based
code generation instead.


florian

-- 
Florian Friesdorf 
  GPG FPR: EA5C F2B4 FBBB BA65 3DCD  E8ED 82A1 6522 4A1F 4367
Jabber/XMPP: f...@chaoflow.net
IRC: chaoflow on freenode,ircnet,blafasel,OFTC


pgpD9QHMx5IZs.pgp
Description: PGP signature
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML is dead, long live DTML ;-)

[Tim Hoffman]

>
>
>>
> Please note that DTML is a dead (and horrid) technology.
>
> Martin
>

But zpt is horrible for doing non html/xml based things ;-), What do you
think is good alternative in the zope eco system now
for templating other types of things (sql, python ...) ?

T
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML

[Christian Theune]

On Tue, 2004-03-02 at 18:24, Fábio Bruno wrote:
> Dear Sir or Madamme
> We are working with zope at school, it was proppoused to us to do an 
> imobiliary site and we like to know who we can do a for cicle or repeat to 
> search in our document whow many houses where added.
> Your's faithfully,
> Fábio & Bruno

Hi,

please notice that this list if for discussion of the development _of_
the zope application server. not for using it.

First, consider using Zope Page Templates instead of DTML. There is a
good tutorial in the Zope 2.7 release that you can leverage which tells
you about "tal:repeat".

There is also a site from brasil that tells about zope: www.tchezope.org
where you will get support from a community in your native language.

Regards,
Christian

-- 
Christian Theune, gocept gmbh & co. kg
http://www.gocept.com - [EMAIL PROTECTED]
fon: 03496 3099112 fax: 03496 3099118 mobile: 0179 7808366


signature.asc
Description: This is a digitally signed message part
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Martijn Pieters]

On Wed, Aug 14, 2002 at 04:25:09PM -0400, Brian Lloyd wrote:
> So here's what we'll do. Zope 2.6 will include the string tainting
> changes, enabled by default. The tainting can be turned off by
> providing an environment variable.
> 
> The next Zope 2.5.x release will contain the tainting code, but it
> will be *disabled* by default. If you are worried about the issues
> it addresses, you will be able to enable it explicitly using an
> environment variable (without having to upgrade to 2.6).

I checked in the changes for 2.5; auto quoating now has to be enabled with
an environment variable. Higly recommended!

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Brian Lloyd]

> >>Like I said before, this is probably a good feature. If it was
> available as a
> >>patch then I would probably use it on a number of my sites, and would
> >>recommend it to others. I would be very happy see it (or
> something like it)
> >>in 2.7.
> >>
> >>But not 2.6.
> >>
> >
>> Then Jim wrote:
>> WRT to this change, now that I'm back from vacation, I want to talk to
Brian
>> about it. ;)

Hear ye, hear ye :^)

Zope 2.6 is a second-dot release, meaning that it is expected that
there will be new features and that it is possible (though we always
try to avoid it) that some things can break in the name of progress.

(See http://dev.zope.org/CVS/ZopeReleasePolicy for more details).

Zope 2.5.x will be a third-dot release, intended to be bug-fix only
(and thus not allowed to break things).

So here's what we'll do. Zope 2.6 will include the string tainting
changes, enabled by default. The tainting can be turned off by
providing an environment variable.

The next Zope 2.5.x release will contain the tainting code, but it
will be *disabled* by default. If you are worried about the issues
it addresses, you will be able to enable it explicitly using an
environment variable (without having to upgrade to 2.6).

2.7 and later releases will behave as 2.6.


Brian Lloyd[EMAIL PROTECTED]
V.P. Engineering   540.361.1716
Zope Corporation   http://www.zope.com




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checkedin

[Max M]

Jim Fulton wrote:

> The plan is to release 2.6 as soon as we can. We're really busy with a 
> bunch of
> customer work and haven't had as much time to work on this as we'd like.


Well actually this is more comforting than if you had a lot of time on 
your hands ;-)

regards Max M

-- 

"Sorry I would Really Like To Help More On This Project,
But Am To Busy Doing Paid Work On A Tight Deadline"
Max M





___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Jim Fulton]

Jeffrey P Shell wrote:
> On 8/9/02 8:43 AM, "Toby Dickenson" <[EMAIL PROTECTED]>
> wrote:
> 

...

>>Like I said before, this is probably a good feature. If it was available as a
>>patch then I would probably use it on a number of my sites, and would
>>recommend it to others. I would be very happy see it (or something like it)
>>in 2.7.
>>
>>But not 2.6.
>>
> 
> Oh, 2.6 will never happen anyways ;)  (seriously folks - what's the plan?).

The plan is to release 2.6 as soon as we can. We're really busy with a bunch of
customer work and haven't had as much time to work on this as we'd like.

It's likely that 2.7 will come out at around the same time as 2.6. See
http://dev.zope.org/Wikis/DevSite/Projects/SupportPython22/VisionStatement.

WRT to this change, now that I'm back from vacation, I want to talk to Brian
about it. ;)

Jim

-- 
Jim Fulton   mailto:[EMAIL PROTECTED]   Python Powered!
CTO  (888) 344-4332http://www.python.org
Zope Corporation http://www.zope.com   http://www.zope.org


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Martijn Pieters]

On Mon, Aug 12, 2002 at 03:51:24PM +0100, Toby Dickenson wrote:
> On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:
> 
> > Whithout the fix, virtually every Zope site in the world is vulnerable
> > to URL-based cross-site scripting exploits.  For instance, any URL which
> > contains invalid form variable marshalling can generate an error page
> > which includes the erroneous value, unquoted.  E.g.:
> >
> > http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer
> >t('Owned')%3C/script%3E>
> 
> Do you plan to fix this bug?
> 
> Or, with the autoquoting changes, is this to be reclassified as 'not a bug'?

Together with the autoquoting changes, I tightened Exception messages; data
from REQUEST is quoted where I could reasonably suspect REQUEST data was
used.

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in

[Adrian Hungate]

> >  > I'd like to second this. It was one of the contibuting factors in the
> >  > decision of my former employers to opt for spectra instead of a Zope
> >  > solution (That already existed!!).
> > I, in contrary, appreciate the openess and fast response with
> > respect to security problems.
> >
> > I do not install most hotfixes because the vulnerabilities do not
> > affect our sites but it is a good feeling that there are fast
> > fixes when this would be once the case.
>
> In some way we need to make it clear that most hotfixes don't matter for
> most sites.  A lot of hotfixes ensured that users who could write DTML
> couldn't get extra privileges.  They really only mattered for sites like
> zope.org, where anyone with an email address is allowed to write code
> that will be executed directly on the server.  But:
>

You are exactly right... but... The problem is not one of clarity of
labling, it's one of targetting: The people that actually make this level of
decision (i.e. board level execs) are not "techies", and are just not
interested in _why_ the fix is needed, or in _what_ technical problem it
fixes, but that ZC (visibly) releases 'n' fixes per month for Zope, while M$
(visibly) releases less than that number per year for IIS/ASP - Therefore,
Zope must be the less stable/reliable product etc?

The logic is flawed, we all know that, but who is volunteering to visit
every companies senior execs worldwide and spend the time to make them care
enough?

The hotfixes, and new releases need to be "marketted" (I use that word
loosely) quite differently, new releases are "A Good Thing(tm)", while the
fixes need to be "under the hood" where the execs won't be bothered by them,
but the techies can find them when they need them.

I appologise, in advance, for the sweeping generalization that all execs are
like Dilbert's pointy-haired boss, but some really are!

Adrian...

--
Adrian Hungate
EMail: [EMAIL PROTECTED]
Web: http://www.haqa.co.uk



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Toby Dickenson]

On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:

> Whithout the fix, virtually every Zope site in the world is vulnerable
> to URL-based cross-site scripting exploits.  For instance, any URL which
> contains invalid form variable marshalling can generate an error page
> which includes the erroneous value, unquoted.  E.g.:
>
> http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer
>t('Owned')%3C/script%3E>

Do you plan to fix this bug?

Or, with the autoquoting changes, is this to be reclassified as 'not a bug'?



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesaboutto be checked in

[Shane Hathaway]

Dieter Maurer wrote:
> Adrian Hungate writes:
>  > 
>  > > We should avoid sending the wrong
>  > > message by making a hotfix for every little thing.
>  > >
>  > > Shane
> 
>  > I'd like to second this. It was one of the contibuting factors in the
>  > decision of my former employers to opt for spectra instead of a Zope
>  > solution (That already existed!!).
> I, in contrary, appreciate the openess and fast response with
> respect to security problems.
> 
> I do not install most hotfixes because the vulnerabilities do not
> affect our sites but it is a good feeling that there are fast
> fixes when this would be once the case.

In some way we need to make it clear that most hotfixes don't matter for 
most sites.  A lot of hotfixes ensured that users who could write DTML 
couldn't get extra privileges.  They really only mattered for sites like 
zope.org, where anyone with an email address is allowed to write code 
that will be executed directly on the server.  But:

1) most Zope sites give a high level of trust to DTML authors anyway. 
There was no way to exploit most of the security holes without the 
ability to write DTML that runs on the server.

2) even a Zope administrator is still quite limited.  In a standard 
setup, a Zope admin can't read/write arbitrary files or execute scripts.

3) Zope doesn't run as root.  Even if someone found a way to get console 
access through a Zope admin account, they would have to exploit some 
other security hole to get root access.

We need to make it clear that there are several layers of security, and 
only a single layer has ever had a problem AFAIK.

Shane


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in

[Dieter Maurer]

Adrian Hungate writes:
 > 
 > > We should avoid sending the wrong
 > > message by making a hotfix for every little thing.
 > >
 > > Shane

 > I'd like to second this. It was one of the contibuting factors in the
 > decision of my former employers to opt for spectra instead of a Zope
 > solution (That already existed!!).
I, in contrary, appreciate the openess and fast response with
respect to security problems.

I do not install most hotfixes because the vulnerabilities do not
affect our sites but it is a good feeling that there are fast
fixes when this would be once the case.


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in

[Adrian Hungate]

> [Snip]
>
> I just want to keep the security worries in check.  Let me ramble for a
> bit...  We've released a lot of hotfixes, but *none* of the
> vulnerabilities could give an attacker root access, and none of them
> could give console access to anonymous users AFAIK.  All of the
> vulnerabilities violated Zope's security policy, but Zope's security
> policy is constrained by system security and other safeguards.  People
> outside the Zope community don't know that, so a lot have labeled Zope
> as too insecure to use.  The reality is that we've never even had an
> exploitable buffer overrun. :-)  We should avoid sending the wrong
> message by making a hotfix for every little thing.
>
> Shane
>

I'd like to second this. It was one of the contibuting factors in the
decision of my former employers to opt for spectra instead of a Zope
solution (That already existed!!).

I am sure there are other cases of this too... If someone finds a buffer
overrun, fix it by all means, but other issues may be better left for minor
version releases, where they can be buried in the changelog.

Just my £0.02

Adrian...

--
Adrian Hungate
EMail: [EMAIL PROTECTED]
Web: http://www.haqa.co.uk



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checkedin

[Jeffrey P Shell]

On 8/9/02 8:43 AM, "Toby Dickenson" <[EMAIL PROTECTED]>
wrote:

> I agree it is true in most cases, but not all. Have you analysed how many
> applications will be broken by this? how they can detect the breakage? I
> certainly will not have time to assess the implications on my applications
> before the scheduled release of 2.6.

This is why I raised the flag of "can there be a way to disable it?", and
Martijn put a fix in:

 -  and &dtml.-name; will now automatically HTML-quote
unsafe data taken implictly from the REQUEST object. Data taken
explicitly from the REQUEST object is not affected, as well as any
other data not originating from REQUEST. This can be disabled (at
your own risk!) by setting the environment variable
ZOPE_DTML_REQUEST_AUTOQUOTE to one of 'no', '0', or 'disabled'.

I have the same concerns you do, but I figure that if any problems are found
during normal execution of any Zope release this is attached to that I don't
have time to investigate a fix for myself, I can add this environment
variable (which normally I am not fond of doing), restart, and make a note
"investigate fixing site blablabla".  Is there any reason why this solution
wouldn't work for you?
 
> Like I said before, this is probably a good feature. If it was available as a
> patch then I would probably use it on a number of my sites, and would
> recommend it to others. I would be very happy see it (or something like it)
> in 2.7.
> 
> But not 2.6.

Oh, 2.6 will never happen anyways ;)  (seriously folks - what's the plan?).

Since there's no current release plan for 2.6, it's hard to plan future
deployments around it anyways.  But if you have any sites you plan to move
to 2.6, you should test this Autoquote change aggressively during the
alpha/beta cycle.  Since the ZOPE_DTML_REQUEST_AUTOQUOTE change has been put
in, I've reserved future judgments until I get a chance to actually do some
testing.  I know that if I do run into any issues in the future that I don't
have time to deal with, I can just flip that switch off.

-- 
Jeffrey P Shell 
www.cuemedia.com



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesaboutto be checked in

[Shane Hathaway]

Tres Seaver wrote:
> Whithout the fix, virtually every Zope site in the world is vulnerable
> to URL-based cross-site scripting exploits.  For instance, any URL which
> contains invalid form variable marshalling can generate an error page
> which includes the erroneous value, unquoted.  E.g.:
> 
> 
>http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealert('Owned')%3C/script%3E>

I think an URL with an inconspicuous mispelling of the domain name is a 
far greater vulnerability than cross-site-scripting.

Consider:

http://barnesandnohle.com/freebooks.html

An attacker could set up that misleading domain name then spam people to 
order free books, requiring credit card info for some 
"book-of-the-month" trick.  Some simple scraping of the true site would 
keep most people from ever thinking there was a problem.  In fact, you 
don't even have to misspell it:

http://barnes-andnoble.com/freebooks.html

This affects the entire web and every piece of software involved in it.

I just want to keep the security worries in check.  Let me ramble for a 
bit...  We've released a lot of hotfixes, but *none* of the 
vulnerabilities could give an attacker root access, and none of them 
could give console access to anonymous users AFAIK.  All of the 
vulnerabilities violated Zope's security policy, but Zope's security 
policy is constrained by system security and other safeguards.  People 
outside the Zope community don't know that, so a lot have labeled Zope 
as too insecure to use.  The reality is that we've never even had an 
exploitable buffer overrun. :-)  We should avoid sending the wrong 
message by making a hotfix for every little thing.

Shane


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes aboutto be checked in

[Oliver Bleutgen]

Tres Seaver wrote:

> Martijn did add a knob to turn the feature off, via a new environment
> variable.  With a security vulnerability, we have to come up with some
> kind of balance between the need to propagate the fix as quickly as
> possible and the need (as you point out) not to disrupt production sites
> unduly.  I don't believe we can afford to wait a whole other release
> cycle for this fix;   Brian, Jim, and Martijn deemed the fix too
> pervasive to be bundled as a hotfix, which offers us little choice
> except to included it in current releases.
> 
> Whithout the fix, virtually every Zope site in the world is vulnerable
> to URL-based cross-site scripting exploits.  For instance, any URL which
> contains invalid form variable marshalling can generate an error page
> which includes the erroneous value, unquoted.  E.g.:
> 
> 
>http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealert('Owned')%3C/script%3E>

Yeah,

but why not fixing that instead?
I for one concur that it is a good thing to care for such stuff, but the 
way it is fixed might really lead to a lot of confusion, because it 
again introduces some magic which happens behind the users back.

As far as I understand the fix, I can imagine some use cases which might 
break without having been in danger at all. Someone please correct me if 
I'm wrong.

1. Sending mails with dtml-sendmail
If you send plaintext mails, suddendly you get html_quoted stuff which 
you never wanted. Having to debug this without knowing about the new 
"feature" will get people up in arms.

2. 

3. Any object which uses dtml to render content from the REQUEST not 
meant for being displayed in a browser.


Some people might use zope for things which have nothing to do with 
html, so they didn't care about cross-site scripting in the first place.

cheers,
oliver





___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in

[Tres Seaver]

On Fri, 2002-08-09 at 10:43, Toby Dickenson wrote:
> On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote:
> > On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > > > The risk for breakage is very small really
> > >
> > > Your choice of '<' and html_quote suggests that my dtml code which
> > > generates javascript and vbscript carries a higher risk than dtml which
> > > generates html.
> >
> > Only if you generated that script using data from the REQUEST, implicitly.
> 
> Yes
> 
> > Which was bad in the first place.
> 
> I agree it is true in most cases, but not all. Have you analysed how many 
> applications will be broken by this? how they can detect the breakage? I 
> certainly will not have time to assess the implications on my applications 
> before the scheduled release of 2.6.
> 
> > > >, and breakage
> > > > will generally only occur when someone is trying to exploit the
> > > > weakness, not in normal operation of the site.
> > >
> > > The fact that your change uses html_quote to 'fix' the problem rather
> > > than sounding 'hacker alert' alarm bells suggests to me that you dont
> > > really believe that ;-)
> >
> > Again, the wide scope of DTML use would make such bells warble prematurely
> > all too often.
> 
> 'all too often' also contradicts your statements that this will not happen in 
> normal operation of the site, and that the risk of breakage is 'very small'.
> 
> 
> Like I said before, this is probably a good feature. If it was available as a 
> patch then I would probably use it on a number of my sites, and would 
> recommend it to others. I would be very happy see it (or something like it) 
> in 2.7.
> 
> But not 2.6.

Martijn did add a knob to turn the feature off, via a new environment
variable.  With a security vulnerability, we have to come up with some
kind of balance between the need to propagate the fix as quickly as
possible and the need (as you point out) not to disrupt production sites
unduly.  I don't believe we can afford to wait a whole other release
cycle for this fix;   Brian, Jim, and Martijn deemed the fix too
pervasive to be bundled as a hotfix, which offers us little choice
except to included it in current releases.

Whithout the fix, virtually every Zope site in the world is vulnerable
to URL-based cross-site scripting exploits.  For instance, any URL which
contains invalid form variable marshalling can generate an error page
which includes the erroneous value, unquoted.  E.g.:

http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealert('Owned')%3C/script%3E>


Tres.
-- 
===
Tres Seaver[EMAIL PROTECTED]
Zope Corporation  "Zope Dealers"   http://www.zope.com


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Toby Dickenson]

On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote:
> On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > > The risk for breakage is very small really
> >
> > Your choice of '<' and html_quote suggests that my dtml code which
> > generates javascript and vbscript carries a higher risk than dtml which
> > generates html.
>
> Only if you generated that script using data from the REQUEST, implicitly.

Yes

> Which was bad in the first place.

I agree it is true in most cases, but not all. Have you analysed how many 
applications will be broken by this? how they can detect the breakage? I 
certainly will not have time to assess the implications on my applications 
before the scheduled release of 2.6.

> > >, and breakage
> > > will generally only occur when someone is trying to exploit the
> > > weakness, not in normal operation of the site.
> >
> > The fact that your change uses html_quote to 'fix' the problem rather
> > than sounding 'hacker alert' alarm bells suggests to me that you dont
> > really believe that ;-)
>
> Again, the wide scope of DTML use would make such bells warble prematurely
> all too often.

'all too often' also contradicts your statements that this will not happen in 
normal operation of the site, and that the risk of breakage is 'very small'.


Like I said before, this is probably a good feature. If it was available as a 
patch then I would probably use it on a number of my sites, and would 
recommend it to others. I would be very happy see it (or something like it) 
in 2.7.

But not 2.6.





___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Martijn Pieters]

On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > The risk for breakage is very small really
> 
> Your choice of '<' and html_quote suggests that my dtml code which generates 
> javascript and vbscript carries a higher risk than dtml which generates html.

Only if you generated that script using data from the REQUEST, implicitly.
Which was bad in the first place.

> >, and breakage
> > will generally only occur when someone is trying to exploit the weakness,
> > not in normal operation of the site.
> 
> The fact that your change uses html_quote to 'fix' the problem rather than 
> sounding 'hacker alert' alarm bells suggests to me that you dont really 
> believe that ;-)

Again, the wide scope of DTML use would make such bells warble prematurely
all too often. The normal, recommended fix for the general weakness is to
always use HTML quote.

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Toby Dickenson]

On Thursday 08 Aug 2002 9:29 pm, Martijn Pieters wrote:
> On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote:
> > > I am about to land some big changes in the way DTML deals with data
> > > taken from the REQUEST object when accessed implicitly, in both the
> > > Zope Trunk and the Zope 2.5 branch.
> >
> > In my opinion this change is completely unacceptable at this late stage
> > of
> >
> > the release cycle. As you said:
> > > These changes could potentially break existing Zope sites.
> >
> > The existing behavior might be flawed, but it is a flaw we have all lived
> > with for a long time. In my opinion this needs:
> >
> > 1. To be deferred until the 2.7 cycle.
> >
> > 2. A detailed fishbowl proposal.
>
> Note that the problems fixed are potential security problems. Although we
> cannot fix every site out there for sure, the fixes certainly dramatically
> reduce the risks.

Im not going to argue that this feature is bad - because I dont believe that 
to be true. I suspect the feature is not exactly quite right - but those 
issues can easily be resolved over a full release cycle.

> The risk for breakage is very small really

Your choice of '<' and html_quote suggests that my dtml code which generates 
javascript and vbscript carries a higher risk than dtml which generates html.

>, and breakage
> will generally only occur when someone is trying to exploit the weakness,
> not in normal operation of the site.

The fact that your change uses html_quote to 'fix' the problem rather than 
sounding 'hacker alert' alarm bells suggests to me that you dont really 
believe that ;-)

> I'll leave any decisions on wether or not this stays in the current release
> cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation
> until next week.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Martijn Pieters]

On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote:
> > I am about to land some big changes in the way DTML deals with data
> > taken from the REQUEST object when accessed implicitly, in both the Zope
> > Trunk and the Zope 2.5 branch.
> 
> In my opinion this change is completely unacceptable at this late stage of
> the release cycle. As you said:
> 
> > These changes could potentially break existing Zope sites.
> 
> The existing behavior might be flawed, but it is a flaw we have all lived
> with for a long time. In my opinion this needs:
> 
> 1. To be deferred until the 2.7 cycle.
> 
> 2. A detailed fishbowl proposal.

Note that the problems fixed are potential security problems. Although we
cannot fix every site out there for sure, the fixes certainly dramatically
reduce the risks. The risk for breakage is very small really, and breakage
will generally only occur when someone is trying to exploit the weakness,
not in normal operation of the site.

I'll leave any decisions on wether or not this stays in the current release
cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation until
next week.

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Florent Guillaume]

The way I see it is this:

ZPT has (amongst others) the very nice property that it's trivial to
audit ZPT pages for non-quoted string output: just grep for 'structure'.

OTOH in DTML there's no way to do that, the default is unquoted output.
&dtml-stuff; is a good step, but there's way too much code out there
that doesn't take proper security precautions and is vulnerable to
cross-site scripting attacks. The fact that namespaces are implicit and
make it possible to get stuff from where we don't expect them doesn't
help.

We should always keep in mind the security debacle that PHP has become,
because it didn't take proper precautions for quoting (reports on
Bugtraq of XSS attacks in some PHP application practically every week).
There's magic_quotes_gpc or magic_quotes_runtime that automatically
quotes their equivalent of REQUEST or even any output from outside
applications, but it's a PITA because it does too much and is often
inconvenient, so a lot of users turn it off or forget to turn it on. And
it's too much magic.


The solution Martijn implemented has a number of nice properties, for
instance protecting those that do , and will only leave
open the applications that really didn't take the most basic security
precautions (unfortunately I'm sure there are some out there, doing
stuff like ">).


So in a code audit all  should be suspect, and
&dtml-.xxx; too.

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:[EMAIL PROTECTED]

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Martijn Pieters]

On Fri, Aug 02, 2002 at 08:55:13AM -0700, Andy McKay wrote:
> Likewise Im trying to digest all that and Im a little suprised. More magic
> in DTML? Not something I'd vote for normally.
> 
> Im a little confused why this is suddenly an issue, yeah so we pull a string
> out of the REQUEST and thanks to DTML stack we may not know where it came
> from. Well thats always been there. And yeah the string may contain nasty
> HTML. Again that's always been there.
> In the past (and I cant find posts to show it) the party line was Zope is an
> application server and its up to the person developing the application to
> worry about it. Thats why ChrisW wrote stripogram and I use it in quite a
> few apps.

Yup. And that is still the case. However, the combination of implict REQUEST
form interpolation and no HTML quoting turns out to especially dangerous,
because of those situations where you *want* no HTML quoting for optional
information that normally should *not* come from the REQUEST.

An example is the Zope help system; there are API help pages that have
optional information, which when present is already HTML. But when not
present in the object hierarchy, but it *is* available in the REQUEST, the
REQUEST data is used instead. The way standard_error_message deals with
exceptions is another such a situation. The DTML author didn't expect the
particular template slot to be filled with REQUEST data, the slot is
optional, and the author has no way of preventing REQUEST data from being
used.

The solution we choose fixes that problem, for all existing DTML as well as
future DTML. Note that ZPT does not have this problem, as it quotes by
default and doesn't use implict namespaces.

> One other question? Why does it matter that the string is implicitly called,
> why dont you taint explicitly called to? It makes me think of Perl where
> taint mode taints anything coming from the user?

Because, as explained above, its the implicit case that is dangerous. In the
explicit case you are supposed to know you are working with unsafe data and
thus the old rules apply. If we explicitly quoted, we hurt everyone that
either did the right thing from the start and/or already knows they are
playing with fire.

> This still doesnt solve the party line and means I would like to suggest
> again (and this time I have the time to work on it) that we add something
> like stripogram or similar to the core, so that is easy for an application
> developer to have access to strip html and other functions from products,
> DTML, Python Scripts etc to easily alter, manage and make HTML safer.

The CMF now includes a basic HTML stripper. In future iterations, Tres
Seaver expects this to evolve into a CMF Tool that is more generaly
configurable and useable.

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

[Andy McKay]

Likewise Im trying to digest all that and Im a little suprised. More magic
in DTML? Not something I'd vote for normally.

Im a little confused why this is suddenly an issue, yeah so we pull a string
out of the REQUEST and thanks to DTML stack we may not know where it came
from. Well thats always been there. And yeah the string may contain nasty
HTML. Again that's always been there.
In the past (and I cant find posts to show it) the party line was Zope is an
application server and its up to the person developing the application to
worry about it. Thats why ChrisW wrote stripogram and I use it in quite a
few apps.

One other question? Why does it matter that the string is implicitly called,
why dont you taint explicitly called to? It makes me think of Perl where
taint mode taints anything coming from the user?

This still doesnt solve the party line and means I would like to suggest
again (and this time I have the time to work on it) that we add something
like stripogram or similar to the core, so that is easy for an application
developer to have access to strip html and other functions from products,
DTML, Python Scripts etc to easily alter, manage and make HTML safer.
--
  Andy McKay
  @gmweb Consulting
  http://www.agmweb.ca




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML sqltest tag and python expr. Bug in Zope Book?

[Yves-Eric Martin]

On Sat, 30 Jun 2001 11:41:57 +0200 (CEST)
Dieter Maurer <[EMAIL PROTECTED]> wrote:

> If I were a purist, I would answer: no.
> 
>   The name error could come from a nested call that incidentally
>   uses the same name for a variable as a request argument.

Granted.

But I have just been thinking: the dtml-var tag does support python
expressions. And its "missing" attribute is quite similar to the
"optional" of dtml-sqltest, don't you think? The "missing" attribute
works only when a variable name is provided. It has no effect on python
expression: if noVar is not defined:

  returns nothing,
raises a NameError.


So for consistency, we can do the same with the dtml-sqltest tag: it
would accept python expression, and the "optional" would work only with
variable names, not python expressions.


> If I were a Zope maintainer, I would answer: no.
> 
>   The feature is rarely used and if it is, there is
>   a way to do it with existing DTML means:

Well, of course it is not being used much, since it is not
implemented... ;o)

Anyway, I guess it all depends on what you use Zope for. As far as I
am concerned, many of the Zope projects I have been involved in included
heavy database queries. So I used that "feature" (with the workarounds
we described) quite a lot.


> But your point was: The feature is used in the Zope book,
> thus, apparently, it was useful. The question:
> "why not implement the feature rather than change the book".

Exactly. I think that this feature should be implemented for:

o consistency with other tags,
o consistency with the Zope Book (DTML *REFERENCE*!)
o and its usefulness to people like me ;)


> Maybe, DC says something about this

Cheers!



-- 
Yves-Eric Martin
[EMAIL PROTECTED]


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML sqltest tag and python expr. Bug in Zope Book?

[Dieter Maurer]

Yves-Eric Martin writes:
 > > I expect that "dtml-sqltest" does not support the "expr"
 > > attribute due to its "optional".
 > > 
 > > It is not easy to define the semantics of "optional" for
 > > arbitrary expressions.
 > 
 > To overcome that problem, I think it would make sense to treat the
 > "optional" like this: when the expression raises a NameError, if the
 > variable name that caused the error is an expected argument of the
 > ZSQLMethod, then this argument was not provided, so do not render the
 > sqltest tag. Otherwise, we have a real error. In a pythonish algorithm,
 > that would look like this:
 > 
 > 
 > try:
 > renderedExpr = eval(expr)
 > except NameError, varName:
 > if varName in ZSQLMethodArguments:
 > # "optional" behavior for missing variable
 > pass
 > else:
 > # We have a real error
 > raise NameError, varName
 > else:
 > # render sqltest tag
 > ...
 > 
 > 
 > Do you think that makes sense?
If I were a purist, I would answer: no.

  The name error could come from a nested call that incidentally
  uses the same name for a variable as a request argument.


If I were a Zope maintainer, I would answer: no.

  The feature is rarely used and if it is, there is
  a way to do it with existing DTML means:

  As you demonstrated:


  


  does work, although it is not really nice -- but not too bad, either.


If I would need this feature extensively, I would privately
enhance Zope as necessary. I learned yesterday, how to
use "cvs import/checkout/update" to keep such private enhancements
across Zope upgrades.


But your point was: The feature is used in the Zope book,
thus, apparently, it was useful. The question:
"why not implement the feature rather than change the book".
Maybe, DC says something about this


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML sqltest tag and python expr. Bug in Zope Book?

[Yves-Eric Martin]

On Thu, 28 Jun 2001 22:42:13 +0200 (CEST)
Dieter Maurer <[EMAIL PROTECTED]> wrote:

> I expect that "dtml-sqltest" does not support the "expr"
> attribute due to its "optional".
> 
> It is not easy to define the semantics of "optional" for
> arbitrary expressions.

True, but you already found a possible answer:


> Your example seems to suggests, that you would like
> the tag to be omitted, when the expression
> raise a NameError.
> But, in fact, it is not clear whether this is anticipated
> by "optional" or a serious problem (maybe deep in the
> expression) that should be reported.

To overcome that problem, I think it would make sense to treat the
"optional" like this: when the expression raises a NameError, if the
variable name that caused the error is an expected argument of the
ZSQLMethod, then this argument was not provided, so do not render the
sqltest tag. Otherwise, we have a real error. In a pythonish algorithm,
that would look like this:


try:
renderedExpr = eval(expr)
except NameError, varName:
if varName in ZSQLMethodArguments:
# "optional" behavior for missing variable
pass
else:
# We have a real error
raise NameError, varName
else:
# render sqltest tag
...


Do you think that makes sense?


-- 
Yves-Eric Martin
[EMAIL PROTECTED]


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML sqltest tag and python expr. Bug in Zope Book?

[Dieter Maurer]

Yves-Eric Martin writes:
 > But unfortunately,  does not seem to work.
 > We get the following error:
 > 
 >   " The "..." shorthand for expr was used in a tag that doesn't
 > support expr attributes., for tag http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] dtml-in batching improved

[Jean Lagarde]

Ivo, somehow I had missed the very start of the thread. I think that my
change pretty much implements the third alternative you describe in your
post, but for which you provided no patch (the one which defines the
variables at the top and bottom only, because I leave the "if
index==first or index==last" test). You are right that my change could
break existing code, but I think not as badly as defining the variables for
every
iteration.

In any case, I will keep the change in my version until I notice a side
effect that I don't like.

Cheers,

Jean

> -Original Message-
> From: Ivo van der Wijk
> Sent: Monday, June 18, 2001 7:31 AM
>
> This is basically my patch #1. It makes previous-sequence-* and
> next-sequence-* available throughout the entire dtml-in loop.
>
> This sounds like a good fix, but people may rely on these variables
> being only set at resp. the start and end of the iteration.
>
> So this patch may break existing dtml code.
>
> That's why I suggested patch #2, which introduces new variables. Old
> code will continue to work, but people who want the problem fixed can
> use the newly introduced variables, which are available throughout the
> iteration.
>
>   Ivo


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching improved

[Ivo van der Wijk]

On Wed, Jun 13, 2001 at 04:28:12PM -0700, Jean Lagarde wrote:
> Good day all,
> 
> 
> Here is the original code, with my annotated change (I deleted an if test in
> two places):
> 
>  for index in range(first,end):
> # preset
> kw['previous-sequence']= 0
> kw['next-sequence']= 0 # now more often defined then
> previously
> #
> if index==first or index==last:
> # provide batching information
> if first > 0:
> pstart,pend,psize=opt(0,first+overlap,
>   sz,orphan,sequence)
>  deleted this test -->  if index==first: kw['previous-sequence']=1
> kw['previous-sequence-start-index']=pstart-1
> kw['previous-sequence-end-index']=pend-1
> kw['previous-sequence-size']=pend+1-pstart

(more similar code removed)

This is basically my patch #1. It makes previous-sequence-* and
next-sequence-* available throughout the entire dtml-in loop.

This sounds like a good fix, but people may rely on these variables
being only set at resp. the start and end of the iteration.

So this patch may break existing dtml code.

That's why I suggested patch #2, which introduces new variables. Old 
code will continue to work, but people who want the problem fixed can
use the newly introduced variables, which are available throughout the 
iteration.

Ivo

-- 
Drs. I.R. van der Wijk  -=-
Brouwersgracht 132  Amaze Internet Services V.O.F.
1013 HA Amsterdam   -=-
Tel: +31-20-4688336  Linux/Web/Zope/SQL
Fax: +31-20-4688337   Network Solutions
Web: http://www.amaze.nl/Consultancy
Email:   [EMAIL PROTECTED]   -=-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching improved

[Jean Lagarde]

Good day all,

I wouldn't consider myself as a Zope developper, but since that's where the
thread was...

I've read the thread with interest but so far all I've read in it are
workarounds that I do not find particularly nice. I did find a bug w/patch
in the collector (#1317), which I thought was meant to correct the problem,
but the patch has been applied to my version (2.3.2), and dtml-in evidently
still did not behave as expected. So I've looked at it more closely and
found what I think is a fix, but given my inexperience, I would like to know
if others think that I'm doing something wrong. I've tested the change for a
while on my application, and everything seems to work so far.

Here is the original code, with my annotated change (I deleted an if test in
two places):

 for index in range(first,end):
# preset
kw['previous-sequence']= 0
kw['next-sequence']= 0 # now more often defined then
previously
#
if index==first or index==last:
# provide batching information
if first > 0:
pstart,pend,psize=opt(0,first+overlap,
  sz,orphan,sequence)
 deleted this test -->  if index==first: kw['previous-sequence']=1
kw['previous-sequence-start-index']=pstart-1
kw['previous-sequence-end-index']=pend-1
kw['previous-sequence-size']=pend+1-pstart
try:
# The following line is a sneaky way to
# test whether there are more items,
# without actually computing a length:
sequence[end]
pstart,pend,psize=opt(end+1-overlap,0,
  sz,orphan,sequence)
 deleted this test -->  if index==last: kw['next-sequence']=1
kw['next-sequence-start-index']=pstart-1
kw['next-sequence-end-index']=pend-1
kw['next-sequence-size']=pend+1-pstart
except: pass

if index==last: kw['sequence-end']=1

Cheers,

Jean


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] dtml-in batching improved

[Adrian Hungate]

Title: RE: [Zope-dev] dtml-in batching improved





Back before the zope.org product directory became so easy to navigate I wrote an index
that I used to use which has batch links top and bottom:


http://www.zope.org/Members/haqa/productlist/view_source


Dunno if this helps...


Adrian...


-Original Message-
From: Chris Withers [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 30 May 2001 22:03
To: Ivo van der Wijk; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Simon Coles
Subject: Re: [Zope-dev] dtml-in batching improved



> When using batching in dtml-in, why is 'previous-sequence' only defined at
> the first iteration of the current batch? And why is 'next-sequence' only
> defined at the last iteration of the current batch?


I know this problem ;-)


I had it too, and stuck something in the collector about it. I did manage to
get the layout you're after without modifying Zope though (see the search
page on www.nipltd.com)


If you want the code, maybe someone at NIP could fish it out, if you can
wait until next Thursday, I'll grab it myself :-)


cheers,


Chris




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching improved

[Chris Withers]

> > > Nope, my solution used only one dtml-in and maybe a dtml-let, no
REQUEST
> > > munging :-)
> > >
> > Ok, show me :)
>
> Hurm... gimme a shout next Thursday when I have access to the code again
;-)

Actually, scratch that, check out the folder_contents.dtml file in
CMFDefault/skins of the CMF.
It does some cunning REQUEST variable setting that eliminates the need for
the fanciness I used...

cheers,

Chris


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching improved

[Chris Withers]

> > Nope, my solution used only one dtml-in and maybe a dtml-let, no REQUEST
> > munging :-)
> >
> Ok, show me :)

Hurm... gimme a shout next Thursday when I have access to the code again ;-)

cheers,

Chris


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching improved

[Ivo van der Wijk]

On Thu, May 31, 2001 at 05:36:21PM +0100, Chris Withers wrote:
> > I've done it myself as well using (as described in the posting) two
> > dtml-in's (the second one purely for displaying the prev/next links).
> >
> > Is your solution any different? (The only one I can think of is storing
> > the info in your REQUEST object and using it later, but that's really
> > ugly.)
> 
> Nope, my solution used only one dtml-in and maybe a dtml-let, no REQUEST
> munging :-)
> 

Ok, show me :)

Ivo

-- 
Drs. I.R. van der Wijk  -=-
Brouwersgracht 132  Amaze Internet Services V.O.F.
1013 HA Amsterdam   -=-
Tel: +31-20-4688336  Linux/Web/Zope/SQL
Fax: +31-20-4688337   Network Solutions
Web: http://www.amaze.nl/Consultancy
Email:   [EMAIL PROTECTED]   -=-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching improved

[Chris Withers]

> I've done it myself as well using (as described in the posting) two
> dtml-in's (the second one purely for displaying the prev/next links).
>
> Is your solution any different? (The only one I can think of is storing
> the info in your REQUEST object and using it later, but that's really
> ugly.)

Nope, my solution used only one dtml-in and maybe a dtml-let, no REQUEST
munging :-)

cheers,

Chris


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching improved

[Casey Duncan]

Ivo van der Wijk wrote:
> 
> On Wed, May 30, 2001 at 10:02:31PM +0100, Chris Withers wrote:
> > > When using batching in dtml-in, why is 'previous-sequence' only defined at
> > > the first iteration of the current batch? And why is 'next-sequence' only
> > > defined at the last iteration of the current batch?
> >
> > I know this problem ;-)
> >
> > I had it too, and stuck something in the collector about it. I did manage to
> > get the layout you're after without modifying Zope though (see the search
> > page on www.nipltd.com)
> >
> 
> I've done it myself as well using (as described in the posting) two
> dtml-in's (the second one purely for displaying the prev/next links).
> 
> Is your solution any different? (The only one I can think of is storing
> the info in your REQUEST object and using it later, but that's really
> ugly.)
> 

AFAIK that is what the next and previous options for dtml-in are for.
Usually
I just store the sequence (if it is a query) in a variable using a let
around
three (or more) dtml-ins. Two of which use the next or previous option
to create
the batching links.

-- 
| Casey Duncan
| Kaivo, Inc.
| [EMAIL PROTECTED]
`-->

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching improved

[Ivo van der Wijk]

On Wed, May 30, 2001 at 10:02:31PM +0100, Chris Withers wrote:
> > When using batching in dtml-in, why is 'previous-sequence' only defined at
> > the first iteration of the current batch? And why is 'next-sequence' only
> > defined at the last iteration of the current batch?
> 
> I know this problem ;-)
> 
> I had it too, and stuck something in the collector about it. I did manage to
> get the layout you're after without modifying Zope though (see the search
> page on www.nipltd.com)
> 

I've done it myself as well using (as described in the posting) two
dtml-in's (the second one purely for displaying the prev/next links).

Is your solution any different? (The only one I can think of is storing
the info in your REQUEST object and using it later, but that's really
ugly.)

Ivo

-- 
Drs. I.R. van der Wijk  -=-
Brouwersgracht 132  Amaze Internet Services V.O.F.
1013 HA Amsterdam   -=-
Tel: +31-20-4688336  Linux/Web/Zope/SQL
Fax: +31-20-4688337   Network Solutions
Web: http://www.amaze.nl/Consultancy
Email:   [EMAIL PROTECTED]   -=-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching improved

[Chris Withers]

> When using batching in dtml-in, why is 'previous-sequence' only defined at
> the first iteration of the current batch? And why is 'next-sequence' only
> defined at the last iteration of the current batch?

I know this problem ;-)

I had it too, and stuck something in the collector about it. I did manage to
get the layout you're after without modifying Zope though (see the search
page on www.nipltd.com)

If you want the code, maybe someone at NIP could fish it out, if you can
wait until next Thursday, I'll grab it myself :-)

cheers,

Chris



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in bug?

[Christian Scholz]

Hi!

ok, some more people told me now about it.. ;-)

It's not that intuitive nevertheless.. (IMHO) ;-)

cheers and thx,
  Christian

On Mon, May 28, 2001 at 05:20:39PM +0200, Tino Wildenhain wrote:
> Hi Christian,
> 
> --On Montag, 28. Mai 2001 15:38 +0200 Christian Scholz <[EMAIL PROTECTED]> 
> wrote:
> 
> > Hi!
> >
> > Dunno if it's again my "strange" setup, but I have some problem with
> > dtml-in or maybe I simply didn't get something right..
> >
> > Well, I used the following dtml code:
> >
> > 
> > 
> > a
> > 
> > 
> 
> 
> *rustle* try orphan=0 :-)
> 
> Greetings
> Tino
> >
> > and I thought I will get three a's as output.. instead I get 6..
> > If I do size=3 it's ok (3 output), if I do size=4 or 5 or 6 I get
> > them all..
> > (actually it happened with some more complex list of Result objects but
> >  this seems to do the same here)
> >
> > Can someone explain that to me..?
> >
> > (it's Zope 2.3.2, Python 1.5.2, SuSE Linux 7.0)
> >
> > cheers,
> >   Christian
> >
> > --
> > COM.lounge  http://comlounge.net/
> > communication & design [EMAIL PROTECTED]
> >
> > ___
> > Zope-Dev maillist  -  [EMAIL PROTECTED]
> > http://lists.zope.org/mailman/listinfo/zope-dev
> > **  No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://lists.zope.org/mailman/listinfo/zope-announce
> >  http://lists.zope.org/mailman/listinfo/zope )
> 
> 
> 
> 

-- 
COM.lounge  http://comlounge.net/
communication & design [EMAIL PROTECTED]

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in bug?

[Tino Wildenhain]

Hi Christian,

--On Montag, 28. Mai 2001 15:38 +0200 Christian Scholz <[EMAIL PROTECTED]> 
wrote:

> Hi!
>
> Dunno if it's again my "strange" setup, but I have some problem with
> dtml-in or maybe I simply didn't get something right..
>
> Well, I used the following dtml code:
>
> 
> 
> a
> 
> 


*rustle* try orphan=0 :-)

Greetings
Tino
>
> and I thought I will get three a's as output.. instead I get 6..
> If I do size=3 it's ok (3 output), if I do size=4 or 5 or 6 I get
> them all..
> (actually it happened with some more complex list of Result objects but
>  this seems to do the same here)
>
> Can someone explain that to me..?
>
> (it's Zope 2.3.2, Python 1.5.2, SuSE Linux 7.0)
>
> cheers,
>   Christian
>
> --
> COM.lounge  http://comlounge.net/
> communication & design [EMAIL PROTECTED]
>
> ___
> Zope-Dev maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )





___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in performance

[Joachim Werner]

> > What can I do to maximize the peformance of a dtml-in statement?
> > When iterating over a 2000 row database query, it takes about 20
> > seconds - time mostly spent doing security checks, and calling
> > __getitem__ in DT_InSV.py.  Is the performance of dtml-in just slow?
> > -Brett
> >
>
> Another performance consideration with looping in DTML is that whatever
> is in your DTML block is reinterpreted each time through. Although it is
> parsed (hopefully) only the first time through, this overhead is still
> considerable when multiplied over 2000 rows. You are essentially using
> an interpreter (Python) as an interpreter for DTML. I would seriously
> consider moving this entire operation (query, iteration and html
> generation) to native Python if performance is a big consideration.

We have had similar performance problems with the first version of our
Content Management demo. It used both dtml-in loops and ZClasses (with other
ZCLasses as base classes) heavily. The combination of the both can be very
efficient in slowing down Zope. I remember the first versions of Martijn
Faassen's XML-Widgets that had a similar performance problem. The reason is
that in addition to the dtml-in overhead ZClasses take a lot of time for
acquiring from their containers and inheriting from their "base classes" as
all the inheritance stuff is only simulated - in fact almost everything is
just stored in property sheets and has to be processed by the security
engine if I got it right.

In Python these problems go away. Maybe it is time for a good
reimplementation of ZClasses, inlcuding the creation of REAL Python classes
in the filesystem on  the fly.

BTW: Does anybody know if the Zope Page Templates (ZPT) parser is faster
with looping than the DTML one?

Cheers,

Joachim.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in performance

[Joachim Werner]

> > What can I do to maximize the peformance of a dtml-in statement?
> > When iterating over a 2000 row database query, it takes about 20
> > seconds - time mostly spent doing security checks, and calling
> > __getitem__ in DT_InSV.py.  Is the performance of dtml-in just slow?
> > -Brett
> >
>
> Another performance consideration with looping in DTML is that whatever
> is in your DTML block is reinterpreted each time through. Although it is
> parsed (hopefully) only the first time through, this overhead is still
> considerable when multiplied over 2000 rows. You are essentially using
> an interpreter (Python) as an interpreter for DTML. I would seriously
> consider moving this entire operation (query, iteration and html
> generation) to native Python if performance is a big consideration.

We have had similar performance problems with the first version of our
Content Management demo. It used both dtml-in loops and ZClasses (with other
ZCLasses as base classes) heavily. The combination of the both can be very
efficient in slowing down Zope. I remember the first versions of Martijn
Faassen's XML-Widgets that had a similar performance problem. The reason is
that in addition to the dtml-in overhead ZClasses take a lot of time for
acquiring from their containers and inheriting from their "base classes" as
all the inheritance stuff is only simulated - in fact almost everything is
just stored in property sheets and has to be processed by the security
engine if I got it right.

In Python these problems go away. Maybe it is time for a good
reimplementation of ZClasses, inlcuding the creation of REAL Python classes
in the filesystem on  the fly.

BTW: Does anybody know if the Zope Page Templates (ZPT) parser is faster
with looping than the DTML one?

Cheers,

Joachim.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in performance

[Casey Duncan]

Brett Carter wrote:
> 
> What can I do to maximize the peformance of a dtml-in statement?
> When iterating over a 2000 row database query, it takes about 20
> seconds - time mostly spent doing security checks, and calling
> __getitem__ in DT_InSV.py.  Is the performance of dtml-in just slow?
> -Brett
> 

Another performance consideration with looping in DTML is that whatever
is in your DTML block is reinterpreted each time through. Although it is
parsed (hopefully) only the first time through, this overhead is still
considerable when multiplied over 2000 rows. You are essentially using
an interpreter (Python) as an interpreter for DTML. I would seriously
consider moving this entire operation (query, iteration and html
generation) to native Python if performance is a big consideration.

-- 
| Casey Duncan
| Kaivo, Inc.
| [EMAIL PROTECTED]
`-->

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in performance

[Jens Vagelpohl]

call the daatabase query in an external method and convert the result to a
simple object (like a dictionary), then pass that back and iterate over it

jens


on 4/4/01 20:54, Brett Carter at [EMAIL PROTECTED] wrote:

> What can I do to maximize the peformance of a dtml-in statement?
> When iterating over a 2000 row database query, it takes about 20
> seconds - time mostly spent doing security checks, and calling
> __getitem__ in DT_InSV.py.  Is the performance of dtml-in just slow?
> -Brett
> 
> ___
> Zope-Dev maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope )
> 


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in performance

[Andy]

Yes, but iterating over a list of 2000 rows is a long process. Things like
using mapping slow it down even further as you get each column. Less rows
will make all the difference.

- Original Message -
From: "Brett Carter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 04, 2001 5:54 PM
Subject: [Zope-dev] dtml-in performance


> What can I do to maximize the peformance of a dtml-in statement?
> When iterating over a 2000 row database query, it takes about 20
> seconds - time mostly spent doing security checks, and calling
> __getitem__ in DT_InSV.py.  Is the performance of dtml-in just slow?
> -Brett
>
> ___
> Zope-Dev maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
>



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in: next-batches

[Dieter Maurer]

Brett Carter writes:
 > I tried accessing keys off the 'data' object, and I just get an
 > 'unathorized' error.
 > Dieter> The attributes your are looking for are in fact keys
 > Dieter> of the mapping 'data'.
Sorry for the misleading answer.

"data" is not supposed to be used directly.

"next-batches" returns a sequence of
"DocumentTemplate.DT_In_SV.sequence_variables".
Each "sequence_variables" object behaves like a mapping
and exposes the items of its "data" member (and some more
items derived from them), among them
"batch-start-index", 'batch-end-index', and 'batch-size'.


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] dtml-in: next-batches

[Bryan Baszczewski]

I found this in some Zope documentation.  It wont give you "1,2,3,4,5...10"
it gives "(1-10)(11-20)(21-30)...". Monkey with it a little and you'll get
it.  Beware it will call your External Method or ZSQL as many times/10.



, 

( - )





, 

( - )




)">




-Bryan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
Of Brett Carter
Sent: Wednesday, March 07, 2001 6:34 PM
To: [EMAIL PROTECTED]
Subject: [Zope-dev] dtml-in: next-batches


Does anybody have an example of how to use the supposed next-batches
mapping returned by dtml-in?
I'm trying to build a google-like pageing feature into my application,
so we just show the first 5 results, then have a link to each next
page, ie "1,2,3,4..."
Thanks,
-Brett

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in: next-batches

[Brett Carter]

I tried accessing keys off the 'data' object, and I just get an
'unathorized' error.
-Brett

> "Dieter" == Dieter Maurer <[EMAIL PROTECTED]> writes:

Dieter> Brett Carter writes:
>> I'm running Zope 2.2.2, and I'm trying to use the batching stuff for
>> the dtml-in tag, however, I can't seem to access any attributes off
>> the 'next-batches' or 'previous-batches' mapping object that's
>> supposed to be available, with the attributes 'batch-start-index',
>> 'batch-end-index', and 'batch-size'.
>> 
>> I wrote an external method to dir the 'next-batches' object, and it
>> seems the only attributes available are:
>> ['data', 'items', 'query_string', 'start_name_re']
Dieter> The attributes your are looking for are in fact keys
Dieter> of the mapping 'data'.


Dieter> Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in: next-batches

[Dieter Maurer]

Brett Carter writes:
 > I'm running Zope 2.2.2, and I'm trying to use the batching stuff for
 > the dtml-in tag, however, I can't seem to access any attributes off
 > the 'next-batches' or 'previous-batches' mapping object that's
 > supposed to be available, with the attributes 'batch-start-index',
 > 'batch-end-index', and 'batch-size'.
 > 
 > I wrote an external method to dir the 'next-batches' object, and it
 > seems the only attributes available are:
 > ['data', 'items', 'query_string', 'start_name_re']
The attributes your are looking for are in fact keys
of the mapping 'data'.


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in: next-batches

[Brett Carter]

I've also discovered that setting overlap = 0 actually causes
everything to overlap by 1.   I didn't see anything in the collector
about this either...
-Brett


> "Brett" == Brett Carter <[EMAIL PROTECTED]> writes:

Brett> I'm running Zope 2.2.2, and I'm trying to use the batching stuff for
Brett> the dtml-in tag, however, I can't seem to access any attributes off
Brett> the 'next-batches' or 'previous-batches' mapping object that's
Brett> supposed to be available, with the attributes 'batch-start-index',
Brett> 'batch-end-index', and 'batch-size'.  However, my example code (see
Brett> below) blows up with a key error when trying to access any of these.
Brett> Is this a bug, or am I just misunderstanding how to use this thing?

Brett> I wrote an external method to dir the 'next-batches' object, and it
Brett> seems the only attributes available are:
Brett> ['data', 'items', 'query_string', 'start_name_re']
Brett> -Brett

Brett>  
Brett> 
Brett>  
Brett>  
Brett> 

Brett> 
Brett>  Previous
Brett> 

Brett> 
Brett>   
Brett> 
Brett>   
Brett> 
Brett>   
Brett>
Brett>
Brett>
Brett>
Brett>
Brett>   
   
Brett>  Next
Brett> 

Brett> 

Brett> ___
Brett> Zope-Dev maillist  -  [EMAIL PROTECTED]
Brett> http://lists.zope.org/mailman/listinfo/zope-dev
Brett> **  No cross posts or HTML encoding!  **
Brett> (Related lists - 
Brett>  http://lists.zope.org/mailman/listinfo/zope-announce
Brett>  http://lists.zope.org/mailman/listinfo/zope )

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML Documents/Folders in ZClasses fail to accessanything

[Itai Tavor]

Steve Alexander wrote:

>Itai Tavor wrote:
>
>>Hi,
>>
>>I got a ZClass 'Test', with a DTML Method 'view' containing 
>>, and a DTML Document 'view2' with the same line. 
>>instance/view works. instance/view2 returns (ZDebug output):
>
>From SimpleItem.py:
>
>"""Direct use of the 'id' attribute is deprecated - use getId()"""
>
>The difference you're seeing is because the DTML Method is acquiring the
>id attribute, whereas you're getting the DTML Document's own id
>attribute.

Thanks, but it's got nothing to do with getId... I just used id 
because it's easy to write. I get the same behavior if I try to view 
meta_type, or a property that is defined on a propertysheet in the 
ZClass. And the fact that the DTML Document uses its own attributes 
shouldn't cause Unauthorized, should it? It should just show a 
different attribute, or acquire the attribute if it doesn't have it.

I just tried it again with a clean install of Zope 2.3.0. In a DTML 
Document, this works (name is a property in the ZClass propertysheet):


   
   


But these fail with Unauthorized: , . The  in standard_html_header fails 
as well.

I also repeated the folder test: In a DTML Method stored inside a 
folder in the ZClass,  works, but  fails.

So what do we have? I can't use title_or_id on DTML Documents, so 
it's useless for use in standard_html_header (and title_or_id uses 
getId, so it should work). I can't access ZClass properties from the 
DTML Document unless I use dtml-with - meaning no acquisition. And I 
can't access properties of the DTML Document (like meta_type) unless 
they are accessed using a method call (like getId()). This can't be 
right.

I find it hard to believe that if this is really a bug, it didn't 
bother anybody else until now. On the other hand, these tests seem to 
show a problem with security checks on objects in ZClasses that 
create their own context. So what am I still missing here?

Itai
-- 
--
Itai Tavor  -- "Je sautille, donc je suis."--
[EMAIL PROTECTED]--   - Kermit the Frog --
-- --
-- "If you haven't got your health, you haven't got anything"  --


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML Documents/Folders in ZClasses fail to access anything

[Dieter Maurer]

Itai Tavor writes:
 > I got a ZClass 'Test', with a DTML Method 'view' containing  id>, and a DTML Document 'view2' with the same line. instance/view 
 > works. instance/view2 returns (ZDebug output):
 > 
 > Error type: Unauthorized
 > Error value: The object /test/view2, which is contained in 
 > /test/view2, is marked as private.
I would check the ZClass's "Access Contents Information"
permission mapping.


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML Documents/Folders in ZClasses fail to access anything

[Steve Alexander]

Itai Tavor wrote:

> Hi,
> 
> I got a ZClass 'Test', with a DTML Method 'view' containing  id>, and a DTML Document 'view2' with the same line. instance/view 
> works. instance/view2 returns (ZDebug output):

>From SimpleItem.py:

"""Direct use of the 'id' attribute is deprecated - use getId()"""

The difference you're seeing is because the DTML Method is acquiring the
id attribute, whereas you're getting the DTML Document's own id
attribute.

--
Steve Akexander
Software Engineer
Cat-Box limited
http://www.cat-box.net



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching

[Chris Withers]

[EMAIL PROTECTED] wrote:

> Well that's odd - I searched the collector for "dtml-in" and got no
> matches. 

that's because of the - in dtml-in being treated as a stop character by
ZCatalog.

Ironically, ZCatalog is not very good at indexing stuff that contains
documentation about Zope, stripping out characters like _ - and . :-S

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML block parsing

[Steve Alexander]

Casey Duncan wrote:

> 
> OK, I have developed a new patch that almost completely fixes this
> issue. In fact I am happier with it in general than my first patch.
> There is only one flaw, although you can nest comments inside of one
> another, and you can have any manner of broken dtml inside, if you open
> another comment tag inside it, it must be properly balanced or you will
> get a parse error. Here are some examples:



> I am a bit concerned that  should ever generate errors at
> all, but this is certainly an improvement. Anybody have any thoughts?

I'm very happy with the way you describe the patched tag works. I'll try 
it out when I return from the EuroZope meeting in Amsterdam.

I don't think it is reasonable to try to catch unbalanced dtml-comment 
tags. In fact, I like the fact that it will raise an error if I leave 
them unbalanced.

Thanks.

--
Steve Alexander
Software Engineer
Cat-Box limited
http://www.cat-box.net


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching

[Brad Clements]

On 24 Jan 2001, at 11:15, [EMAIL PROTECTED] wrote:


> Brad Clements wrote:

> > I posted this same bug AND a patch as bug # 1566 on Aug 28th, 2000.
> > 
> > http://classic.zope.org:8080/Collector/1566/view
> > 
> > Sad to see its *still* pending
> 
> Well that's odd - I searched the collector for "dtml-in" and got no
> matches. A search for "renderwb" (which is in the title) works. Looks like
> it doesn't search the description after all. Boo to the search engine.
> 
> Just curious: why specify the browser/platform/python version stuff when
> the problem is independant of those things?
> 

Because I'm Anal Retentive.

Also figured perhaps my entry would be ignored without that information.

Or worse the form would be rejected on submit because those fields 
where blank AND it wouldn't remember what I'd put in AND back would 
fail.

So, I filled out the form entirely.


Brad Clements,[EMAIL PROTECTED]   (315)268-1000
http://www.murkworks.com  (315)268-9812 Fax
netmeeting: ils://ils.murkworks.com   AOL-IM: BKClements

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching

[richard]

Brad Clements wrote:
> On 24 Jan 2001, at 9:43, [EMAIL PROTECTED] wrote:
> > Tres Seaver wrote:
> 
> > > Please post this as a "Bug w/ patch" to the Collector:
> > >
> > >  http://classic.zope.org:8080/Collector
> > >
> > > That way we don't lose your fix in the list traffic (losing it
> > > along with our marbles is another problem :)
> >
> >Someone else responded to the list saying that he'd already done it.
> > There was no match to my search of dtml-in though, so I've submitted a new
> > bug report.
> 
> I posted this same bug AND a patch as bug # 1566 on Aug 28th, 2000.
> 
> http://classic.zope.org:8080/Collector/1566/view
> 
> Sad to see its *still* pending

Well that's odd - I searched the collector for "dtml-in" and got no
matches. A search for "renderwb" (which is in the title) works. Looks like
it doesn't search the description after all. Boo to the search engine.

Just curious: why specify the browser/platform/python version stuff when
the problem is independant of those things?


Richard

ps. Brad, sorry I referred to you as "someone else" - I lost the email with
your name in it ;)

-- 
Richard Jones
[EMAIL PROTECTED]
Senior Software Developer, Bizar Software (www.bizarsoftware.com.au)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching

[Brad Clements]

On 24 Jan 2001, at 9:43, [EMAIL PROTECTED] wrote:

> Tres Seaver wrote:

> > Please post this as a "Bug w/ patch" to the Collector:
> > 
> >  http://classic.zope.org:8080/Collector
> > 
> > That way we don't lose your fix in the list traffic (losing it
> > along with our marbles is another problem :)
> 
>Someone else responded to the list saying that he'd already done it.
> There was no match to my search of dtml-in though, so I've submitted a new
> bug report.


I posted this same bug AND a patch as bug # 1566 on Aug 28th, 2000.


http://classic.zope.org:8080/Collector/1566/view

Sad to see its *still* pending



Brad Clements,[EMAIL PROTECTED]   (315)268-1000
http://www.murkworks.com  (315)268-9812 Fax
netmeeting: ils://ils.murkworks.com   AOL-IM: BKClements

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching

[Tres Seaver]

On Wed, 24 Jan 2001 [EMAIL PROTECTED] wrote:

> Tres Seaver wrote:
>
> > Please post this as a "Bug w/ patch" to the Collector:
> > 
> >  http://classic.zope.org:8080/Collector
> > 
> > That way we don't lose your fix in the list traffic (losing it
> > along with our marbles is another problem :)
> 
> Someone else responded to the list saying that he'd already
> done it.  There was no match to my search of dtml-in though, so
> I've submitted a new bug report.

Thanks very much!

Tres.
-- 
===
Tres Seaver[EMAIL PROTECTED]
Digital Creations "Zope Dealers"   http://www.zope.org


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching

[richard]

Tres Seaver wrote:
> 
> [EMAIL PROTECTED] wrote:
> > [EMAIL PROTECTED] wrote:
> > >
> > > The dtml-in batching mechanisms are quite difficult to debug - the DTML
> > > documentation I have has examples which break it and there's no indication
> > > of why. It turns out the DT_In renderwb() code gobbles all exceptions from
> > > the rendering of the previous and next blocks. I've hacked my code so that
> > > there's no try/except clause any more. I'm not sure what exception it's
> > > trying to catch, but could it perhaps be made a little more picky?
> >
> > And here's a diff - I'm pretty sure this was the intended behaviour...
> 
> Please post this as a "Bug w/ patch" to the Collector:
> 
>  http://classic.zope.org:8080/Collector
> 
> That way we don't lose your fix in the list traffic (losing it
> along with our marbles is another problem :)

   Someone else responded to the list saying that he'd already done it.
There was no match to my search of dtml-in though, so I've submitted a new
bug report.


  Richard

-- 
Richard Jones
[EMAIL PROTECTED]
Senior Software Developer, Bizar Software (www.bizarsoftware.com.au)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML block parsing

[Casey Duncan]

Casey Duncan wrote:
> 
> Steve Alexander wrote:
> > With your patch applied, will nested dtml-comment tags still work?
> >
> > 
> >Some code commented out
> >  
> >Documentation in a comment
> >  
> >Rest of code commented out
> > 
> >
> > --
> > Steve Alexander
> > Software Engineer
> > Cat-Box limited
> > http://www.cat-box.net
> 
> In present form no. It also does not support block continuation tags.
> 
> I will see what I can do about this.

OK, I have developed a new patch that almost completely fixes this
issue. In fact I am happier with it in general than my first patch.
There is only one flaw, although you can nest comments inside of one
another, and you can have any manner of broken dtml inside, if you open
another comment tag inside it, it must be properly balanced or you will
get a parse error. Here are some examples:

These do not generate errors with my new patch:














Blah Blah



These do:












I am a bit concerned that  should ever generate errors at
all, but this is certainly an improvement. Anybody have any thoughts?
-- 
| Casey Duncan
| Kaivo, Inc.
| [EMAIL PROTECTED]
`-->

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML block parsing

[Casey Duncan]

Steve Alexander wrote:
> With your patch applied, will nested dtml-comment tags still work?
> 
> 
>Some code commented out
>  
>Documentation in a comment
>  
>Rest of code commented out
> 
> 
> --
> Steve Alexander
> Software Engineer
> Cat-Box limited
> http://www.cat-box.net

In present form no. It also does not support block continuation tags.

I will see what I can do about this.
-- 
| Casey Duncan
| Kaivo, Inc.
| [EMAIL PROTECTED]
`-->

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML block parsing

[Steve Alexander]

Casey Duncan wrote:

> 
> If not, I will make a patch for DT_String to support this. The
> beneficial side affect would be that  could be "fixed" so
> that its contents need not be parsable anymore, just like every other
> language I know of.

With your patch applied, will nested dtml-comment tags still work?


   Some code commented out
 
   Documentation in a comment
 
   Rest of code commented out


--
Steve Alexander
Software Engineer
Cat-Box limited
http://www.cat-box.net



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching

[Tres Seaver]

[EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] wrote:
> > 
> > The dtml-in batching mechanisms are quite difficult to debug - the DTML
> > documentation I have has examples which break it and there's no indication
> > of why. It turns out the DT_In renderwb() code gobbles all exceptions from
> > the rendering of the previous and next blocks. I've hacked my code so that
> > there's no try/except clause any more. I'm not sure what exception it's
> > trying to catch, but could it perhaps be made a little more picky?
> 
> And here's a diff - I'm pretty sure this was the intended behaviour...

Please post this as a "Bug w/ patch" to the Collector:

 http://classic.zope.org:8080/Collector

That way we don't lose your fix in the list traffic (losing it
along with our marbles is another problem :)

Tres.
-- 
===
Tres Seaver[EMAIL PROTECTED]
Digital Creations "Zope Dealers"   http://www.zope.org

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching

[Brad Clements]

This was submitted to the collect quite a while ago as a bug..

Also I submitted a patch about 2 months ago for this, about the same 
patch as yours.

On 22 Jan 2001, at 12:03, [EMAIL PROTECTED] wrote:

From:   [EMAIL PROTECTED]
Date sent:  Mon, 22 Jan 2001 12:03:14 +1100
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Subject:            Re: [Zope-dev] dtml-in batching

> [EMAIL PROTECTED] wrote:
> > 
> > The dtml-in batching mechanisms are quite difficult to debug - the DTML
> > documentation I have has examples which break it and there's no
> > indication of why. It turns out the DT_In renderwb() code gobbles all
> > exceptions from the rendering of the previous and next blocks. I've
> > hacked my code so that there's no try/except clause any more. I'm not
> > sure what exception it's trying to catch, but could it perhaps be made a
> > little more picky?
> 
> And here's a diff - I'm pretty sure this was the intended behaviour...
> 
> 
> *** /tmp/DT_In.py.origMon Jan 22 12:00:53 2001
> --- DT_In.py  Mon Jan 22 12:00:58 2001
> ***
> *** 561,566 
> --- 561,570 
>   # there are more items, without actually
>   # computing a length:
>   sequence[end]
> + except IndexError:
> + if self.elses: result=render(self.elses, md)
> + else: result=''
> + else:
>   pstart,pend,psize=opt(end+1-overlap,0,
>  sz,orphan,sequence)
>   kw['next-sequence']=1
> ***
> *** 568,576 
>   kw['next-sequence-end-index']=pend-1
>   kw['next-sequence-size']=pend+1-pstart
>   result=render(section,md)
> - except:
> - if self.elses: result=render(self.elses, md)
> - else: result=''
>   else:
>   result = []
>   append=result.append
> --- 572,577 
> 
> 
> -- 
> Richard Jones
> [EMAIL PROTECTED]
> Senior Software Developer, Bizar Software (www.bizarsoftware.com.au)
> 



Brad Clements,[EMAIL PROTECTED]   (315)268-1000
http://www.murkworks.com  (315)268-9812 Fax
netmeeting: ils://ils.murkworks.com   AOL-IM: BKClements

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML block parsing

[ender]

On Monday 22 January 2001 08:54, Casey Duncan wrote:
> I am working on a custom DTML tag (that I may unleash on the world when
> finished) that has brought to my attention an interesting feature of the
> DTML parser:
>
> It preparses everything in the block(s) between the start and end tags
> before the document containing the code is committed.
>
> My tag is a little different in that I don't want to put DTML inside it,
> therefore this parsing is undesirable. There is however one built-in tag
> that this is true for as well: . Many a thread has been
> burned about that issue.


i've been bitten by this 'feature' as well. i hacked out a bad solution
where i checked the length of the block, and raised an error if  it was
larger than one. but this didn't solve the problem that the nested dtml
was still evaluated. which troubles me since i think it could be a security
problem in the context of my tag.

> I propose a change to DT_String to allow a tag to turn off this
> preparsing feature. It should be easy enough to implement by adding a
> class attribute to the tag class such as disable_dtml_block_parsing = 1.
> Is this abhorrent to anyone?

sounds good to me.

> If not, I will make a patch for DT_String to support this. The
> beneficial side affect would be that  could be "fixed" so
> that its contents need not be parsable anymore, just like every other
> language I know of.

cool.

Kapil Thangavelu

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching

[richard]

[EMAIL PROTECTED] wrote:
> 
> The dtml-in batching mechanisms are quite difficult to debug - the DTML
> documentation I have has examples which break it and there's no indication
> of why. It turns out the DT_In renderwb() code gobbles all exceptions from
> the rendering of the previous and next blocks. I've hacked my code so that
> there's no try/except clause any more. I'm not sure what exception it's
> trying to catch, but could it perhaps be made a little more picky?

And here's a diff - I'm pretty sure this was the intended behaviour...


*** /tmp/DT_In.py.orig  Mon Jan 22 12:00:53 2001
--- DT_In.pyMon Jan 22 12:00:58 2001
***
*** 561,566 
--- 561,570 
  # there are more items, without actually
  # computing a length:
  sequence[end]
+ except IndexError:
+ if self.elses: result=render(self.elses, md)
+ else: result=''
+ else:
  pstart,pend,psize=opt(end+1-overlap,0,
sz,orphan,sequence)
  kw['next-sequence']=1
***
*** 568,576 
  kw['next-sequence-end-index']=pend-1
  kw['next-sequence-size']=pend+1-pstart
  result=render(section,md)
- except:
- if self.elses: result=render(self.elses, md)
- else: result=''
  else:
  result = []
  append=result.append
--- 572,577 


-- 
Richard Jones
[EMAIL PROTECTED]
Senior Software Developer, Bizar Software (www.bizarsoftware.com.au)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in batching

[richard]

[EMAIL PROTECTED] wrote:
> 
> The dtml-in batching mechanisms are quite difficult to debug - the DTML
> documentation I have has examples which break it and there's no indication
> of why. It turns out the DT_In renderwb() code gobbles all exceptions from
> the rendering of the previous and next blocks. I've hacked my code so that
> there's no try/except clause any more. I'm not sure what exception it's
> trying to catch, but could it perhaps be made a little more picky?

   Re-glancing at the code shows me that this is only the case for the next
block. Sorry about that.

-- 
Richard Jones
[EMAIL PROTECTED]
Senior Software Developer, Bizar Software (www.bizarsoftware.com.au)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML Documents == DTML Methods that are anchored?

[Dieter Maurer]

The Doctor What writes:
 > What are the differences between DTML Documents and Methods
 > internally?
There are too small differences:

 1. DTML documents implement the "PropertyManager" interface,
i.e. they can have properties other than "id" and "title".


 2. DTML documents place themselves on top of the DTML
namespace when they are rendered (called),
DTML methods do not place themselves on the namespace at all
for rendering.

The effect is that during name lookup a DTML Document
is asked early whether it (or its acquisition ancestors)
can satisfy the name request. If it can, you get
this object.
A DTML Method, on the other hand, would not be asked
in a similar situation, as it is not on the namespace
stack.

This means, name lookup looks through the
DTML Method directly onto the method's client,
the Method is completely transparent.
A DTML Document is only partially transparent,
it hides all names that it or its acquisition ancestors
define. Only the other names are handled in the same
way as would be the case for a DTML method.


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML Documents == DTML Methods that are anchored?

[matt]

You should look through the mailing lists  there is generous amounts of
answers to this.  For me the two sit philosophically linked in the acquisition
model.  Acquisition is partially about actions working in environments, with the
environment decribing the quality of the result.  You can think of a DTMLMethod
as an action, who itself has no substrate, i.e. properties, and  DTMLDocuments
as substrate, i.e. it contains properties etc, for example background colour,
types of animals, whatever.  One can then throw a method around into different
environments, i.e. call it on documents, and one will get a result that is
dependent on that environment(document).   It is also nice that environments can
acquire from their surrounding too, so you should think of acquisition in
DTMLDocuments as been for more and more global properties as one moves out, eg:
a company logo.  Whereas acquisition for a method is to actually acquire an
environment to work in. 

Well that's the way I view it, and it helps.

Matt





 On Sat, 30 Dec 2000, The Doctor What wrote:
> What are the differences between DTML Documents and Methods
> internally?  I was just thinking about the problems every new user
> (and experienced users, every so often) have regarding DTML
> Documents vs DTML Methods.
> 
> Aren't they really the same except that Documents are anchored (ie,
> don't allow aquisition from the caller, but only from the location
> of the Document)?
> 
> If that is true, couldn't they be simplified as a (example name)
> DTML Object that had an "anchor" flag?
> 
> Just a thought.
> 
> Ciao!
> 
> -- 
> So Buddha walks into a pizza parlor and says: "Hey, make me one with everything."
> 
> The Doctor What: Need I say more?http://docwhat.gerf.org/
> [EMAIL PROTECTED]   KF6VNC
> 
> ___
> Zope-Dev maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
-- 

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML processing variable

[Paul Erickson]

If this is your exact code, it looks like you should be using
"sequence-item", instead of "sequence_item".

You should also be able to do it without the external method like this:
(100% untested)


  



"David W. Damon" wrote:
> 
> Hey all,
> 
> I'm having difficulty getting dtml-in to iterate over a list of strings
> returned from an external python method.
> 
> Essentially, I have a string that is comprised of the contents of an HTML text
> area.  I need to split the string into a list of words and iterate over this
> list.
> 
> My external python method is this:
> 
> def stringSplit( self, theString ):
>   return string.split( theString )
> 
> Heres the pertinent DTML.
> 
> ---
> 
> 
>   
> 
> 
> 
> 
> ---
> 
> If I comment out the dtml-in block, i have a  userList variable in the REQUEST
> object that is something like: ['name1', 'name2', 'name3']
> 
> Any ideas?
> 
> -- dave
> 
> ___
> Zope-Dev maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )

-- 
Paul Erickson   | [EMAIL PROTECTED]
Kaivo, Inc. | www.kaivo.com

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] dtml-var tag suggestion

[Casey Duncan]

Thanks, that works good. It also escapes any special characters in the
string, an added bonus.

The only case I found where a new format option would work better is if you
use the dtml-var size option to limit the size of the string. I will
continue to play with it and see what I come up with.

Perhaps an option to back_quote should be added to dtml-var to eliminate
somewhat hairy looking expressions like this (taken from my code):



I never thought I would use every type of quotation mark in a single
expression! 8^)

Thanks!

-Casey D.

-Original Message-
From: Duncan Booth [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 31, 2000 10:09 AM
To: Casey Duncan; [EMAIL PROTECTED]
Subject: Re: [Zope-dev] dtml-var tag suggestion


> I have been using dtml to create dynamic JavaScripts for some forms I am
> creating. In doing this I came upon the standard problem of inserting
> strings containing double quotes into a JavaScript such as where title =
> '"Quoted String"':
>
> form.select.options[0].text = "";
>
> And you wind up with this rendered:
>
> form.select.options[0].text = ""Quoted String"";
>
Given that, like Python, javascript accepts strings either single or
double quoted, you could try using backquotes to escape the
string:

 form.select.options[0].text = ;

should (untested) give you:

 form.select.options[0].text = '"Quoted String"';

Provided title is a string, this will escape any quotes and, for that
matter, unprintable characters, and wrap either single or double
quotes round the outside. If title is a method then you need to call
it first: 

--
Duncan Booth
[EMAIL PROTECTED]
int month(char *p){return(124864/((p[0]+p[1]-p[2]&0x1f)+1)%12)["\5\x8\3"
"\6\7\xb\1\x9\xa\2\0\4"];} // Who said my code was obscure?
http://dales.rmplc.co.uk/Duncan


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-var tag suggestion

[Duncan Booth]

> I have been using dtml to create dynamic JavaScripts for some forms I am
> creating. In doing this I came upon the standard problem of inserting
> strings containing double quotes into a JavaScript such as where title =
> '"Quoted String"':
> 
> form.select.options[0].text = "";
> 
> And you wind up with this rendered:
> 
> form.select.options[0].text = ""Quoted String"";
> 
Given that, like Python, javascript accepts strings either single or 
double quoted, you could try using backquotes to escape the 
string:

 form.select.options[0].text = ;

should (untested) give you:

 form.select.options[0].text = '"Quoted String"';

Provided title is a string, this will escape any quotes and, for that 
matter, unprintable characters, and wrap either single or double 
quotes round the outside. If title is a method then you need to call 
it first: 

-- 
Duncan Booth [EMAIL PROTECTED]
int month(char *p){return(124864/((p[0]+p[1]-p[2]&0x1f)+1)%12)["\5\x8\3"
"\6\7\xb\1\x9\xa\2\0\4"];} // Who said my code was obscure?
http://dales.rmplc.co.uk/Duncan

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in: sort is not locale-aware

[mike]

Oleg Broytmann wrote:
> 
> Hello!
> 
>Currently dtml-in does not use locale when sorting the sequence. Before
> creating a patch I want to discuss a way dtml-in should handle this. The
> problem is that list.sort() does not sort according to koi8-r cyrillic
> locale; to make sort locale-aware I need to list.sort(locale.strcoll).
>But how I could ask dtml-in to use locale.strcoll? Should I add another
> option to dtml-in? Something like
> ?

I use 
A bit slower but works like hammer.

Mike

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] dtml-in: sort is not locale-aware

[Oleg Broytmann]

On Tue, 20 Jun 2000, mike wrote:
> >But how I could ask dtml-in to use locale.strcoll? Should I add another
> > option to dtml-in? Something like
> > ?
> 
> I use 
> A bit slower but works like hammer.

   I want to use all power of dtml-in and other zope tools. There are
things where I can just write my functions and methods; and there are cases
so general that it's more correct to extend zope functionality.

   Do you know that latest version of Zope can sort by multiple keys? How
do you extend your ru_sort() to reflect the change?

Oleg.(All opinions are mine and not of my employer)
 
Oleg Broytmann  Foundation for Effective Policies  [EMAIL PROTECTED]
   Programmers don't die, they just GOSUB without RETURN.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML DTD (or DTML mode for EMACS)?

[mike]

Stephan Richter wrote:
> 
> At 01:30 PM 6/20/00 +0800, you wrote:
> >Does anybody have subject?
> 
> Well, I use SGML-MODE. Works for me.

Which DTD do you use? 
If I have 'ignore undefined elements' option set it does not indent
 tags properly (of course). If I unset this option, 'normalize'
command removes all content of  tags.

Mike

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML tag creation.

[Itamar Shtull-Trauring]

Bill Anderson wrote:

> I am about to dive into a custom tag, it will be a 'container' tag.
> I have seen the HowTo, and it really isn't that clear when you get to
> the container tag info.
> 
> Can anyone provide a better rundown?  Anyone have a custom tag they
> would mind sharing for perusal?
> Just trying to save myself sometime.

Not a container tag, but check out
http://www.zope.org/Members/noa/SpellChecker - me and Noa wrote this a while
back.  A spellchecker interface written in DTML is not a pretty sight, but
you do learn DTML really quickly :)

-- 
Itamar S.T.  [EMAIL PROTECTED]

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )