yuppie wrote at 2006-3-15 11:23 +0100:
>Zope 2's checkValidId makes sure this doesn't happen with Zope 2 folder
>methods, Zope 3's NameChooser makes sure this doesn't happen with Zope 3
>folder views. Even the bad_id-patch described above doesn't allow to
>override folder methods.
Maybe, the "checkValidId" should refuse to add an object with
an id that hides a view declared for this folder and not
reject any id that might (potentially) hide a view because
it starts with "@" or "+"...
This would prevent the security concerns you seem to have
and allows for most ids to be accepted...
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -