[ic] [loop-code] interpolation = security risk?

Grant emailgrant at gmail.com
Wed Oct 22 23:22:51 UTC 2014

>> Does this behavior seem like an unnecessary security risk to anyone else?
>> [tmpn test1]"[tmpn test2]yes[/tmpn][scratch test2]"[/tmpn]
>> [loop list=|[scratch test1]| quoted=1]
>>    [loop-code]
>> [/loop]
>> [loop-code] is interpolated so "yes" is printed. [loop search=...]
>> does not behave this way, only [loop list=...].  This strikes me as
>> both dangerous and inconsistent.
> It is useful behavior that gets used some places, but I agree it's not a
> good idea. The ITL parser in general is full of such landmines. At this late
> date I'm afraid it's not really reasonable to introduce major breaking
> changes such as disabling reparse in a situation like this.

"some places" in the demo store or in people's code in general?

Maybe a catalog directive to enable/disable the landmines?

> If you need to use IC5, I'd recommend moving loop logic into a Perl module
> that you then invoke from a usertag, or something similar. Then you'll have
> a lot more safety and control, and usually more speed too.

I'm sorry to hear that.  Should ITL generally be avoided for security,
or just [loop]?

Is IC6 ready for prime time?

- Grant

More information about the interchange-users mailing list