> Just discussing this with some colleagues today and we got onto a
> marshalling data and it occured to us it would be nice to do something like
> <input type="text" name="something:html:p:br"> that would only allow p and
> br in the html. Ok, its easy to get around with a fake form, but how about
> being able to only specify certain html tags in metadata in the CMF.

You seem to be aware of the fact, but I'd like to point it out
explicitely: from a security point of view, this is completely useless.
As HTML stripping is often done for security reasons, I fail to see the
interest in such a feature.

(BTW the :required field is also completely useless for security, and
because it's misleading for beginners I even think it's downright

        -- Florent
Florent Guillaume, Nuxeo SARL (Paris, France)
+33 1 40 33 79 10  http://nuxeo.com  mailto:[EMAIL PROTECTED]

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to