[Zope-Coders] Re: [Zope-dev] Re: DTML and REQUEST data changes about to be checked in
Martijn Pieters
mj@zope.com
Thu, 1 Aug 2002 14:20:43 -0400
On Thu, Aug 01, 2002 at 12:34:30PM -0400, Martijn Pieters wrote:
> On Thu, Aug 01, 2002 at 10:29:36AM -0600, Jeffrey P Shell wrote:
> > Hopefully I'll get a chance to test it with some of our 2.5 sites - I have a
> > small worry that old code on small sites that we don't have much worry about
> > will break if this is put into a 2.5.2 or later release. Could there be a
> > way to disable this "feature" in 2.5 via a z2/environment variable or some
> > other configuration setting, but have it be automatic in 2.6? "Potential
> > code breakage" and "point point release" leave me a little worried about
> > maintaining 2.5 sites.
> >
> > It may not be an issue - I have to digest the changes in more depth that
> > I've had (or currently have) time for, but that's the thought that crossed
> > my mind earlier.
>
> From a technical standpoint I can indeed add a switch that would disable the
> occurence of tainted strings, yes. I'll discuss this with Brian, it
> shouldn't be hard to add.
>
> But note that breakage only occurs when REQUEST data actually contains
> possibly dangerous markup, and your site was vulnerable in those areas that
> now break. Disabeling the tainting will leave you vulnerable.
Just checked into CVS for both 2.5 and 2.6; setting
ZOPE_DTML_REQUEST_AUTOQUOTE to one of 'no', '0', or 'disabled' will disable
the new tainting of strings and thus disable autoquoting.
--
Martijn Pieters
| Software Engineer mailto:mj@zope.com
| Zope Corporation http://www.zope.com/
| Creators of Zope http://www.zope.org/
---------------------------------------------