On Thu, Aug 01, 2002 at 12:34:30PM -0400, Martijn Pieters wrote:
> On Thu, Aug 01, 2002 at 10:29:36AM -0600, Jeffrey P Shell wrote:
> > Hopefully I'll get a chance to test it with some of our 2.5 sites - I have a
> > small worry that old code on small sites that we don't have much worry about
> > will break if this is put into a 2.5.2 or later release.  Could there be a
> > way to disable this "feature" in 2.5 via a z2/environment variable or some
> > other configuration setting, but have it be automatic in 2.6?  "Potential
> > code breakage" and "point point release" leave me a little worried about
> > maintaining 2.5 sites.
> > 
> > It may not be an issue - I have to digest the changes in more depth that
> > I've had (or currently have) time for, but that's the thought that crossed
> > my mind earlier.
> From a technical standpoint I can indeed add a switch that would disable the
> occurence of tainted strings, yes. I'll discuss this with Brian, it
> shouldn't be hard to add.
> But note that breakage only occurs when REQUEST data actually contains
> possibly dangerous markup, and your site was vulnerable in those areas that
> now break. Disabeling the tainting will leave you vulnerable.

Just checked into CVS for both 2.5 and 2.6; setting
ZOPE_DTML_REQUEST_AUTOQUOTE to one of 'no', '0', or 'disabled' will disable
the new tainting of strings and thus disable autoquoting.

Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to