[Zope-PTK] Wizards and Form data types
Itamar Shtull-Trauring
itamar@maxnm.com
Sun, 03 Dec 2000 12:14:39 +0200
Tiago Antão wrote:
> If you declare a form parameter as :list it will be returned as a string
> BUT that string has a list syntax so eval() can be used to get a real
> list.
VERY BAD idea. People can send you any arbitary python expression and it
will be evaluated, e.g. "__import__('os').system('rm -rf /')". Never ever do
eval() or open() on data passed from the user.
--
Itamar Shtull-Trauring, itamar(at)shtull-trauring.org