> Just discussing this with some colleagues today and we got onto a
> marshalling data and it occured to us it would be nice to do something like
> <input type="text" name="something:html:p:br"> that would only allow p and
> br in the html. Ok, its easy to get around with a fake form, but how about
> being able to only specify certain html tags in metadata in the CMF.
You seem to be aware of the fact, but I'd like to point it out
explicitely: from a security point of view, this is completely useless.
As HTML stripping is often done for security reasons, I fail to see the
interest in such a feature.
(BTW the :required field is also completely useless for security, and
because it's misleading for beginners I even think it's downright
Florent Guillaume, Nuxeo SARL (Paris, France)
+33 1 40 33 79 10 http://nuxeo.com mailto:[EMAIL PROTECTED]
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -