> I recently read RFC 2396 which defines the generic URI syntax
> and especially the URL syntax.
> I recognized, that
>  * Zope forbids many characters in ids (with the error message
>    "not allowed in URLs"), that are legal characters
>    in URL path segments:
>       generally allowed in URL's: -_.!~*'()
>          Zope accepted:            _. ~

- as well (see regex below)
, is allowed in the id, sorry not sure what the term path segment means..

>       allowed in path segments:   :@&=+$,
>          Zope accepted:                 ,
>    This, probably, is not a big problem.
>    But, it would be easy to fix.

Except for the fact that Zope also checks that the first character is not a
_. Thats a big security headache. To be honest Im not so worried about Zope
being more restrictive.

>  * Zope allows space characters in (ObjectManager) id's.
>    The space is not a valid URL character.
>    Zope forbids spaces in property ids.

This one is much more important in my mind. Its a real pain. Is there a good
reason for this. It should be easy to fix, actually looking at the regex in
Object Manager, shouldn't that just be a case of taking the space out of the
end of the regex?


line 112: bad_id=ts_regex.compile('[^a-zA-Z0-9-_~\,\.]').search]

On a more anal note could we also patch ObjectManager to tell the user what
characters aren't allowed eg:

line 224: 'The id "%s" contains characters illegal in URLs.' % id

should be

line 224: 'The id "%s" contains characters illegal in URLs. Only characters,
digits and the characters ~-_,. are allowed.' % id

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to