[albatross-users] pagination with al-for
Michael C. Neel
neel at mediapulse.com
Wed Jan 7 03:07:38 EST 2004
> Oops - "action" is used in HTML, which could cause some confusion. I'd
> suggest something like "al-action", but I suspect that's not legal XML
> (I'll have to research it).
Perhaps we could go with "exec", though it might be confused with expr.
Other options could be "run", "eval", or "method".
> It's actually considerably more complicated than the nextpage backdoor
> (which just relies on a specifically formatted input:
>
> nextpage,<iterator_name>
Yes, I've looked at the code and seen that sometimes it's <>,<> and
sometimes it's <>,<>,<> so a generic solution would have to account for
multiple arguments, and those may be coming from ctx.locals as well.
>
> We're essentially talking about executing the code, not at template
> execution time as happens with things like valuexpr, but at form
> submission time. What we would probably need to do is save
> the value of
> the al-action attribute in __albform__. This really brings
> the security
> issuses of the hidden field mixins to a head - but in one sense we're
> already executing the __albform__ pickle (unpickling needs to be able
> to instanciate classes).
>
Yes, there are some issues here. We could also have the tags register
the "legal" methods exposed this way, and verify a match before
execution. I don't know what you could do to the hidden field mixin to
make it more secure that isn't already done. I'd also be interested to
know about anyone who's spoofed a session without knowing the secret key
=).
Mike
More information about the Albatross-users
mailing list