durusmail: quixote-users: Adding magic to PTL, Or: how to stop worrying about XSS holes
Adding magic to PTL, Or: how to stop worrying about XSS holes
2002-10-01
Neil Schemenauer
Adding magic to PTL, Or: how to stop worrying about XSS holes
2002-10-01
Nicola Larosa
Adding magic to PTL, Or: how to stop worrying about XSS holes
2002-10-01
Neil Schemenauer
Adding magic to PTL, Or: how to stop worrying about XSS holes
2002-10-02
Nicola Larosa
2002-10-01
Greg Ward
2002-10-01
Neil Schemenauer
2002-10-01
Jonathan Corbet
2002-10-01
Titus Brown
2002-10-01
Neil Schemenauer
2002-10-01
Titus Brown
Adding magic to PTL, Or: how to stop worrying about XSS holes
Greg Ward
2002-10-01
On 01 October 2002, Neil Schemenauer said:
> I propose using a new string type for strings containing markup.  Let's
> call this type 'Markup'.

Is this general enough that it should be called 'Markup'?  Or is this
specific to HTML/XHTML?

> One disadvantage of this proposal is the extra runtime cost.  I thought
> about creating the markup strings at compile time or at module load time
> but that presents many problems.  It's not impossible however and
> perhaps a later version of PTL would use that approach.  I think the
> runtime cost should be quite small.  Markup instances can use the
> __slots__ declaration, making them quite small and cheap to create.
> Also, I could reimplement the Markup type and the quote function in C.
> Personally, I think some speed hit would be worth the convenience and
> security benefits.

Note that doing this cheaply -- eg. use __slots__, subclass str -- would
tie Quixote to Python 2.2.  That's fine by me, but if anyone out there
is unable/unwilling to move past Python 2.0 or 2.1, you should speak up
now!

        Greg
--
Greg Ward - software developer                gward@mems-exchange.org
MEMS Exchange                            http://www.mems-exchange.org
reply