[ic] [loop-code] interpolation = security risk?

Jon Jensen jon at endpoint.com
Wed Oct 22 23:05:23 UTC 2014

On Wed, 22 Oct 2014, Grant wrote:

> Does this behavior seem like an unnecessary security risk to anyone 
> else?
> [tmpn test1]"[tmpn test2]yes[/tmpn][scratch test2]"[/tmpn]
> [loop list=|[scratch test1]| quoted=1]
>    [loop-code]
> [/loop]
> [loop-code] is interpolated so "yes" is printed. [loop search=...]
> does not behave this way, only [loop list=...].  This strikes me as
> both dangerous and inconsistent.

It is useful behavior that gets used some places, but I agree it's not a 
good idea. The ITL parser in general is full of such landmines. At this 
late date I'm afraid it's not really reasonable to introduce major 
breaking changes such as disabling reparse in a situation like this.

If you need to use IC5, I'd recommend moving loop logic into a Perl module 
that you then invoke from a usertag, or something similar. Then you'll 
have a lot more safety and control, and usually more speed too.


Jon Jensen
End Point Corporation

More information about the interchange-users mailing list