[albatross-users] pagination with al-for

[Michael C. Neel]

> Oops - "action" is used in HTML, which could cause some confusion. I'd
> suggest something like "al-action", but I suspect that's not legal XML
> (I'll have to research it).

Perhaps we could go with "exec", though it might be confused with expr.
Other options could be "run", "eval", or "method".
 
> It's actually considerably more complicated than the nextpage backdoor
> (which just relies on a specifically formatted input:
> 
>     nextpage,<iterator_name>

Yes, I've looked at the code and seen that sometimes it's <>,<> and
sometimes it's <>,<>,<> so a generic solution would have to account for
multiple arguments, and those may be coming from ctx.locals as well.

> 
> We're essentially talking about executing the code, not at template
> execution time as happens with things like valuexpr, but at form
> submission time. What we would probably need to do is save 
> the value of
> the al-action attribute in __albform__. This really brings 
> the security
> issuses of the hidden field mixins to a head - but in one sense we're
> already executing the __albform__ pickle (unpickling needs to be able
> to instanciate classes).
> 

Yes, there are some issues here.  We could also have the tags register
the "legal" methods exposed this way, and verify a match before
execution.  I don't know what you could do to the hidden field mixin to
make it more secure that isn't already done.  I'd also be interested to
know about anyone who's spoofed a session without knowing the secret key
=).

Mike