if _name contains data from users this is vulnerable to arbitrary code
execution attack.
On Friday, 25 May 2012 00:11:30 UTC-5, Annet wrote:
>
> Hi Anthony,
>
> Thanks for your reply.
>
> > I didn't look at any of the code above this, but based on just this
> line, I assume:
>
> Th code above that line generates a bootstrap menu and dropdown menus
> based on whether or not a user has access to a group of functions and
> within that group has access to an individual function.
>
> Your assumption was right.
>
>
> You could also do:
>>
>> {{if eval('session.%sDropdown' % _name):}}
>>
>> ...but please don't. ;-)
>>
>
> Why not?
>
>
> Best regards,
>
> Annet.
>
>
