Likewise Im trying to digest all that and Im a little suprised. More magic in DTML? Not something I'd vote for normally.
Im a little confused why this is suddenly an issue, yeah so we pull a string out of the REQUEST and thanks to DTML stack we may not know where it came from. Well thats always been there. And yeah the string may contain nasty HTML. Again that's always been there. In the past (and I cant find posts to show it) the party line was Zope is an application server and its up to the person developing the application to worry about it. Thats why ChrisW wrote stripogram and I use it in quite a few apps. One other question? Why does it matter that the string is implicitly called, why dont you taint explicitly called to? It makes me think of Perl where taint mode taints anything coming from the user? This still doesnt solve the party line and means I would like to suggest again (and this time I have the time to work on it) that we add something like stripogram or similar to the core, so that is easy for an application developer to have access to strip html and other functions from products, DTML, Python Scripts etc to easily alter, manage and make HTML safer. -- Andy McKay @gmweb Consulting http://www.agmweb.ca _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )