Andy wrote: > > You seem to be aware of the fact, but I'd like to point it out > > explicitely: from a security point of view, this is completely useless. > > As HTML stripping is often done for security reasons, I fail to see the > > interest in such a feature. > > That depends where you do the checking, yes html validation in just a form > is not as secure as checking at the application level. What I am suggesting > is adding the HTML validation framework into the core of Zope so people can > add checking to any level of their application as they wish. Making a > standard interface to this gives a the developer chance to put the checking > in at the level they choose.
If it's easy to get to I could also use it from Formulator, which, though I don't guarantee perfect security, at least has a design which makes it far less easy to fool than the Zope marshalling :foo thing (which you can fool just by writing your own HTML form). All you'd need is add a HTMLField to the system which has the right knobs to set what you exactly want to allow in entered HTML -- that's also a far better user interface than thinking up yet another marshalling :html:foo:bar strategy.. Anyway, just a module that I can import from Python that exposes the functionality would already be worth a lot having in the core; I'm loath to introducing dependencies on non-core stuff in Formulator, as it's aiming to be a very fundamental product that just should work out of the box. The only non-core dependency right now in on TALES, but it still works without it; you can also use Core Session Tracking in a simple way. Once Zope 2.5 is out I plan to start depending on sessions and TALES a lot more though, as they have those in the core. Regards, Martijn _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
