Barry Warsaw writes:
Would you make $list.css editable by the list admin, a la
listinfo.html? Does doing so open any additional security
vulnerabilities?
Yes to editable, I don't know to security vulnerabilities. View the CSS Zen Garden (better yet, get the book), and know fear. What those people manage to do without ever changing a tag is amazing!
Since CSS is intended to be purely presentational, the two threats I can see are hiding evil that they sneak in some other way, and "social engineering" via misdirection. Eg, I can image some mischief where you swap the labels of the "Cancel" and "Submit" buttons via CSS.
with CSS, not Python code. Note that with a little care, the same module that does the t-t-w CSS generation could probably accept an mm_cfg.py and (a) use the variables defined in mm_cfg.py to generate site.css and (b) remove them (warning loudly that setting them in the future will have no effect).
I don't like being able to upload mm_cfg.py ttw, even if it's just to
suck a few ui variables out of it. If we're going to allow ttw
updating to the css, let's just do that directly instead of going
through Python code.
Sorry, my wording was *very* imprecise. What I had in mind was that the ttw CSS generating <FORM> in HTML will give you KEY=VALUE pairs, which is what mm_cfg.py is. So the logic for generating CSS would be the same. The UIs would be completely separate. ttw would go via one or more HTML forms. The "import mm_cfg" inteface would only be available via the shell, that would not be available ttw.