[Zope-Coders] dtml-var cleanup
Florent Guillaume
fg@nuxeo.com
24 Oct 2002 16:41:51 +0200
On Thu, 2002-10-24 at 07:36, Shane Hathaway wrote:
> > If everything looks ok, I'll merge this into HEAD. I think it warrants
> > merging into the 2.6 branch too before 2.6.1. I don't know about 2.5
> > (and the merge would be much more complex).
>
> I'd like to see this in Zope 2.7, but putting it in Zope 2.6.x would
> cause pain. No one can be sure you converted every tag perfectly. We
> need a release we can depend on. Most of the work of fixing potential
> XSS holes was already done previously (by Martijn, I think), and even
> then it was mostly paranoia. :-) If you have specific cases that really
> can be exploited, then we should consider merging only those specific
> fixes into Zope 2.6.
Ok I'll try to isolate the small number that are obviously dangerous.
Florent
--
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com