On Thu, 27 Sep 2001 15:48:45 +0200, Dario Lopez-Kästen <[EMAIL PROTECTED]> wrote:
>Why would one want to use DTMLFile or HTMLFile, and what are the >differences, benefits or drawbacks of each? Both of them use files stored in the filesystem, which means they are completely trusted. No security checks are performed as they execute. DTMLFile is the usual choice. It sets up the dtml namespace so that the first place searched is the object that the DTMLFile is an attribute of. HTMLFile doesnt tweak the namespace in this way; it will be in the same state as provided by your caller. This makes it very easy to open a security hole. HTMLFile should be avoided unless you have a very good reason to need it. (there was a full description of the potential security hole in the Collector....) Toby Dickenson [EMAIL PROTECTED] _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
