Hi, There's a possible security-related feature here as well. I'd like to propose that the developer be able to force #include and #parse to ONLY read from the same directory, and not the directory above.
We could use this feature, as our system allows untrusted users to upload templates in parallel directories. A template in one directory shouldn't be able to include a template in a parallel directory. New proposal for implementation... I've been toying with an idea of implementing an eventcartridge that gets called upon a #include and #parse. It might have these methods boolean relativeToTemplate(String originalArgument) -- would force the statements to be relative to the template. (default false). String modifyArgument(String originalArgument) -- the method allows the arbitrary replacement of one argument to #include/#parse with another. Returning a null would cancel the #include/#parse entirely. (default, returns originalArgument) The key benefit would be flexibility and simplicity. A simple class following the model of the other event cartridges in which "relativeToTemplate" also returned true would make Claude happy. Yet it offers flexibility for arbitrary redirection of included pages. (I'd use this to declare certain pages of limits for authors). Any comments? Best, WILL _______________________________________ Forio Business Simulations Will Glass-Husain [EMAIL PROTECTED] www.forio.com
