[Zope-dev] HTMLFile vs DTMLFile

Toby Dickenson tdickenson@geminidataloggers.com
Thu, 27 Sep 2001 15:28:08 +0100


On Thu, 27 Sep 2001 15:48:45 +0200, Dario Lopez-K=E4sten
<dario@ita.chalmers.se> wrote:

>Why would one want to use DTMLFile or HTMLFile, and what are the
>differences, benefits or drawbacks of each?

Both of them use files stored in the filesystem, which means they are
completely trusted. No security checks are performed as they execute.

DTMLFile is the usual choice. It sets up the dtml namespace so that
the first place searched is the object that the DTMLFile is an
attribute of.

HTMLFile doesnt tweak the namespace in this way; it will be in the
same state as provided by your caller. This makes it very easy to open
a security hole. HTMLFile should be avoided unless you have a very
good reason to need it.

(there was a full description of the potential security hole in the
Collector....)

Toby Dickenson
tdickenson@geminidataloggers.com