Submitted by : thimo at: 2011-01-21T16:43:01-08:00 (6 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :

I think it would be useful to prohibit DTML and the rst raw directive for comments.

It could be implemented by adding something like the following code to the method comment (and append?) of class PageEditingSupport:

if re.search(r'(?i)(<dtml|&dtml)',text) or re.search(r'(?i)(<dtml|&dtml)',subject_heading) \
    or re.search(r'(?i)(\.\.\s*raw\s*::)',text) or re.search(r'(?i)(\.\.\s*raw\s*::)',subject_heading):
    return self.denied(
        _("Sorry, dynamic content is not allowed within comments."))

... --thimo, Fri, 21 Jan 2011 16:45:09 -0800 reply

Name: '#1478 Prevent DTML in comments only' => '#1478 Generally prevent DTML in comments'