On Monday 22 January 2001 08:54, Casey Duncan wrote:
> I am working on a custom DTML tag (that I may unleash on the world when
> finished) that has brought to my attention an interesting feature of the
> DTML parser:
> It preparses everything in the block(s) between the start and end tags
> before the document containing the code is committed.
> My tag is a little different in that I don't want to put DTML inside it,
> therefore this parsing is undesirable. There is however one built-in tag
> that this is true for as well: <dtml-comment>. Many a thread has been
> burned about that issue.

i've been bitten by this 'feature' as well. i hacked out a bad solution
where i checked the length of the block, and raised an error if  it was
larger than one. but this didn't solve the problem that the nested dtml
was still evaluated. which troubles me since i think it could be a security
problem in the context of my tag.

> I propose a change to DT_String to allow a tag to turn off this
> preparsing feature. It should be easy enough to implement by adding a
> class attribute to the tag class such as disable_dtml_block_parsing = 1.
> Is this abhorrent to anyone?

sounds good to me.

> If not, I will make a patch for DT_String to support this. The
> beneficial side affect would be that <dtml-comment> could be "fixed" so
> that its contents need not be parsable anymore, just like every other
> language I know of.


Kapil Thangavelu

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to