[albatross-users] nameexpr with dicts with str keys
Michael C. Neel
neel at mediapulse.com
Mon Jan 26 06:05:01 EST 2004
Currently, doing a nameexpr="'''mydict['%s']''' % something" will cause
an exception at request merge time. The reason for this is it is being
assumed that only lists or dicts with numeric keys are used. The
offending code is around line 390 (in 1.12 dev):
elif state == INDEX:
index = int(elem)
state = CLOSE
Which I changed to this for a work around:
elif state == INDEX:
try:
index = int(elem)
except ValueError:
index = elem[1:-1]
state = CLOSE
Some thoughts. This would still cause problems for a dict whose keys
were strings, but could be converted to ints, such as zipcodes. Given
the "every things is a string" motto on external input, this would be
tricky to solve. I guess you could do some recording at the time of
encoding the session and look at that later, but until I really *need*
this I'm not going there =P
Next is it's not exactly straight forward. You could avoid the whole
mess with an eval(), but an eval on the tokens of the name of a field
seems like a nice way to let hackers play on your server. So I resorted
to [1:-1] to srtip off the quotes (otherwise you'll get a
mydict[''value''] error). Note going to work on triple quotes, but if
you need those inside of an index, share what you're smoking with the
rest of the class.
Unrelated note: In dumping locals() from the templates I noticed
ctx.locals gained a new member, __ctx__. ctx/__ctx__ has quite a few
functions in it I'd rather not be in the locals namespace, even if the
calling them from the outside would be challenging. Also it's common
for our request object to contain usernames/passwords (i.e. for the
database), and since ctx.request._Request__ can give you access to the
raw mod_python req object, well you see where I'm going. If the __ctx__
member isn't providing the greatest thing since sliced bread, can we put
him back in his box?
Mike
More information about the Albatross-users
mailing list