On Thu, Aug 01, 2002 at 12:34:30PM -0400, Martijn Pieters wrote: > On Thu, Aug 01, 2002 at 10:29:36AM -0600, Jeffrey P Shell wrote: > > Hopefully I'll get a chance to test it with some of our 2.5 sites - I have a > > small worry that old code on small sites that we don't have much worry about > > will break if this is put into a 2.5.2 or later release. Could there be a > > way to disable this "feature" in 2.5 via a z2/environment variable or some > > other configuration setting, but have it be automatic in 2.6? "Potential > > code breakage" and "point point release" leave me a little worried about > > maintaining 2.5 sites. > > > > It may not be an issue - I have to digest the changes in more depth that > > I've had (or currently have) time for, but that's the thought that crossed > > my mind earlier. > > From a technical standpoint I can indeed add a switch that would disable the > occurence of tainted strings, yes. I'll discuss this with Brian, it > shouldn't be hard to add. > > But note that breakage only occurs when REQUEST data actually contains > possibly dangerous markup, and your site was vulnerable in those areas that > now break. Disabeling the tainting will leave you vulnerable.
Just checked into CVS for both 2.5 and 2.6; setting ZOPE_DTML_REQUEST_AUTOQUOTE to one of 'no', '0', or 'disabled' will disable the new tainting of strings and thus disable autoquoting. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ --------------------------------------------- _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )