Commit 169f1ab1 authored by Martijn Pieters's avatar Martijn Pieters

Allow switching tainting off. AT YOUR OWN RISK, you can now set

ZOPE_DTML_REQUEST_AUTOQUOTE to one of 'no', '0', or 'disabled' and no
tainting will take place.
parent 1cbc79cd
......@@ -87,8 +87,10 @@ Zope Changes
- <dtml-var name> and &dtml.-name; will now automatically HTML-quote
unsafe data taken implictly from the REQUEST object. Data taken
explicitly from the REQUEST object is not affected, as well as any
other data not originating from REQUEST.
other data not originating from REQUEST. This can be disabled (at
your own risk!) by setting the environment variable
ZOPE_DTML_REQUEST_AUTOQUOTE to one of 'no', '0', or 'disabled'.
- ZCatalog index management ui is now integrated into ZCatalog rather
than being a subobject managment screen with different tabs.
......
......@@ -11,7 +11,7 @@
#
##############################################################################
__version__='$Revision: 1.75 $'[11:-2]
__version__='$Revision: 1.76 $'[11:-2]
import re, sys, os, urllib, time, random, cgi, codecs
from BaseRequest import BaseRequest
......@@ -55,6 +55,9 @@ hide_key={'HTTP_AUTHORIZATION':1,
default_port={'http': '80', 'https': '443'}
tainting_env = str(os.environ.get('ZOPE_DTML_REQUEST_AUTOQUOTE', '')).lower()
TAINTING_ENABLED = tainting_env not in ('disabled', '0', 'no')
_marker=[]
class HTTPRequest(BaseRequest):
"""\
......@@ -1302,8 +1305,8 @@ class HTTPRequest(BaseRequest):
base64.decodestring(auth.split()[-1]).split(':')
return name, password
def taintWrapper(self):
return TaintRequestWrapper(self)
def taintWrapper(self, enabled=TAINTING_ENABLED):
return enabled and TaintRequestWrapper(self) or self
class TaintRequestWrapper:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment