[ZPT] Path interpolation

Shane Hathaway shane@zope.com
Fri, 02 Aug 2002 15:28:55 -0400


Evan Simpson wrote:
> Shane Hathaway wrote:
> 
>> Steve A. has talked about this before, and I still don't see why this 
>> can be considered a security hole.  HTTP URLs passed to Zope "cause 
>> traversal to an arbitrary object".  So traversal is already a highly 
>> protected operation.  Why do page templates have to be further limited?
> 
> I probably should have put my conclusion at the top of my post, rather 
> than my complete reasoning :-)

Ok.  The word "interpolation" is a little confusing here--maybe we 
should call it string substitution. :-)

> I recommend making '$' work the way everyone expects (simple string 
> interpolation) and slightly expanding the usability of '?'.  Thus:
> 
> <tal:demo define="x string:a/b; a python:{'b': 1, 'a/b': 2, '2': 3}"
>           replace="string:$x, ${$x}, ${a/?x}, ${a/?{$x}}" />
> 
> ..becomes "a/b, 1, 2, 3".  Wacky, no?

Wacky indeed.  I can imagine that the designers of "bash" had 
discussions much like this many years ago.  :-)  Can we say that a 
question mark is only valid when it's located immediately after a slash 
character?

Shane