[ic] [loop-code] interpolation = security risk?
jon at endpoint.com
Wed Oct 22 23:05:23 UTC 2014
On Wed, 22 Oct 2014, Grant wrote:
> Does this behavior seem like an unnecessary security risk to anyone
> [tmpn test1]"[tmpn test2]yes[/tmpn][scratch test2]"[/tmpn]
> [loop list=|[scratch test1]| quoted=1]
> [loop-code] is interpolated so "yes" is printed. [loop search=...]
> does not behave this way, only [loop list=...]. This strikes me as
> both dangerous and inconsistent.
It is useful behavior that gets used some places, but I agree it's not a
good idea. The ITL parser in general is full of such landmines. At this
late date I'm afraid it's not really reasonable to introduce major
breaking changes such as disabling reparse in a situation like this.
If you need to use IC5, I'd recommend moving loop logic into a Perl module
that you then invoke from a usertag, or something similar. Then you'll
have a lot more safety and control, and usually more speed too.
End Point Corporation
More information about the interchange-users