On 4/6/11 7:43 PM, Roger wrote:
> I think to protect the form is just a part of a concept.
> user generated content. If an application allows to post
> JS in a blog post or comment etc. it should be possible to
> use easydmx to read and re-use the secure form token.
> (not approved but should work)
For that reason both CMF as well as Plone "clean"
user input by stripping nasty tags and such - at
least per default.
> One of my bigger concern is also that such a token will
> break a lot of our tests which whould force us to use
> custom non security token generating form classes.
> I'm fine in general for implement such a concept
> in z3c.form but it should be optional.
> Why not offer additional form classes or a mixin
> for support such token?
> Roger Ineichen
> Zope-Dev maillist - Zope-Dev@zope.org
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope )
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -