[ic] [loop-code] interpolation = security risk?
emailgrant at gmail.com
Wed Oct 22 23:22:51 UTC 2014
>> Does this behavior seem like an unnecessary security risk to anyone else?
>> [tmpn test1]"[tmpn test2]yes[/tmpn][scratch test2]"[/tmpn]
>> [loop list=|[scratch test1]| quoted=1]
>> [loop-code] is interpolated so "yes" is printed. [loop search=...]
>> does not behave this way, only [loop list=...]. This strikes me as
>> both dangerous and inconsistent.
> It is useful behavior that gets used some places, but I agree it's not a
> good idea. The ITL parser in general is full of such landmines. At this late
> date I'm afraid it's not really reasonable to introduce major breaking
> changes such as disabling reparse in a situation like this.
"some places" in the demo store or in people's code in general?
Maybe a catalog directive to enable/disable the landmines?
> If you need to use IC5, I'd recommend moving loop logic into a Perl module
> that you then invoke from a usertag, or something similar. Then you'll have
> a lot more safety and control, and usually more speed too.
I'm sorry to hear that. Should ITL generally be avoided for security,
or just [loop]?
Is IC6 ready for prime time?
More information about the interchange-users