Barry Warsaw writes:
> Would you make $list.css editable by the list admin, a
la
> listinfo.html? Does doing so open any additional
security
> vulnerabilities?
Yes to editable, I don't know to security vulnerabilities.
View the
CSS Zen Garden (better yet, get the book), and know fear.
What those
people manage to do without ever changing a tag is amazing!
Since CSS is intended to be purely presentational, the two
threats I
can see are hiding evil that they sneak in some other way,
and "social
engineering" via misdirection. Eg, I can image some
mischief where
you swap the labels of the "Cancel" and
"Submit" buttons via CSS.
> > with CSS, not Python code. Note that with a
little care, the same
> > module that does the t-t-w CSS generation could
probably accept an
> > mm_cfg.py and (a) use the variables defined in
mm_cfg.py to generate
> > site.css and (b) remove them (warning loudly that
setting them in the
> > future will have no effect).
>
> I don't like being able to upload mm_cfg.py ttw, even
if it's just to
> suck a few ui variables out of it. If we're going to
allow ttw
> updating to the css, let's just do that directly
instead of going
> through Python code.
Sorry, my wording was *very* imprecise. What I had in mind
was that
the ttw CSS generating <FORM> in HTML will give you
KEY=VALUE pairs,
which is what mm_cfg.py is. So the logic for generating CSS
would be
the same. The UIs would be completely separate. ttw would
go via one
or more HTML forms. The "import mm_cfg" inteface
would only be
available via the shell, that would not be available ttw.
_______________________________________________
Mailman-Developers mailing list
Mailman-Developers python.org
http://mail.python.org/mailman/listinfo/mailman-develo
pers
Mailman FAQ: http://www.p
ython.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-developers%40pyt
hon.org/
Unsubscribe: http://mail.python.org/mailman/options
/mailman-developers/bond%40yahoo.com
Security Policy: http://www.python.org/cgi-bin/faqw-mm.py
?req=show&file=faq01.027.htp
|
