On Thu, Aug 01, 2002 at 10:29:36AM -0600, Jeffrey P Shell wrote: > Hopefully I'll get a chance to test it with some of our 2.5 sites - I have a > small worry that old code on small sites that we don't have much worry about > will break if this is put into a 2.5.2 or later release. Could there be a > way to disable this "feature" in 2.5 via a z2/environment variable or some > other configuration setting, but have it be automatic in 2.6? "Potential > code breakage" and "point point release" leave me a little worried about > maintaining 2.5 sites. > > It may not be an issue - I have to digest the changes in more depth that > I've had (or currently have) time for, but that's the thought that crossed > my mind earlier.
From a technical standpoint I can indeed add a switch that would disable the occurence of tainted strings, yes. I'll discuss this with Brian, it shouldn't be hard to add. But note that breakage only occurs when REQUEST data actually contains possibly dangerous markup, and your site was vulnerable in those areas that now break. Disabeling the tainting will leave you vulnerable. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ --------------------------------------------- _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )