[ZPT] Path interpolation

[Evan Simpson]

Shane Hathaway wrote:
> Steve A. has talked about this before, and I still don't see why this 
> can be considered a security hole.  HTTP URLs passed to Zope "cause 
> traversal to an arbitrary object".  So traversal is already a highly 
> protected operation.  Why do page templates have to be further limited?

I probably should have put my conclusion at the top of my post, rather 
than my complete reasoning :-)

I recommend making '$' work the way everyone expects (simple string 
interpolation) and slightly expanding the usability of '?'.  Thus:

<tal:demo define="x string:a/b; a python:{'b': 1, 'a/b': 2, '2': 3}"
           replace="string:$x, ${$x}, ${a/?x}, ${a/?{$x}}" />

...becomes "a/b, 1, 2, 3".  Wacky, no?

Cheers,

Evan