Tres Seaver wrote:
Hash: SHA1

Michael Haubenwallner wrote:
Tres Seaver wrote:
Hash: SHA1

Jim Fulton wrote:

Zope 3, as releases is not affected by the security hole that
has plagued Zope 2, however, Michael Haubenwallner has pointed
out that some add-on-products, such as zwiki and bugtracker, may
provide TTW reST.
They appear to be "safe" for the moment, but not because they
intentionally disable file inclusion:  rather, they have a bug (they set
the 'encoding' to 'unicode', which then causes an exception).

Both restructuredText directives 'include' and 'raw' have an 'encoding'
option to set the name of text encoding of the external data file/raw
data (file or URL), it defaults to the document's encoding (if specified).

.. include:: filename.ext
  :encoding: utf-8

.. raw:: html
  :file: filename.ext
  :encoding: utf-8

should work as expected


Verified.  Both wikis and bugtracker issues are capable of including
arbitrary files using that spelling (in an instance created from today's
Zope3 trunk, anyway).

Zope3 accesses docutils in a single point atm:

All objects created from the factory are rendered here.
It should be possible to configure the docutils parser (and its directives) by adjusting the 'settings_overrides' values.

I think the same can be done (and is done already) for Zope2.x in lib.python.reStructuredText.render() with the 'settings' dictionary.

That way it would be possible to make the parser usage configurable and no need to use a patched docutils.



Zope3-dev mailing list

Reply via email to