Home
The Toolkit for Online Communities
17127 Community Members, 1 member online, 1949 visitors today
Log In Register
OpenACS Home : Forums : OpenACS Q&A : Security hole in ad_form (may change behavior of ad_form to fix!) : One Message

Forum OpenACS Q&A: Re: Security hole in ad_form (may change behavior of ad_form to fix!)

This is Don, not Alex ...

Greenpeace apparently has been happily doing this to do extends in loops but I think it has the same double-substitution problem that Lars's original example does, right?

for {set i 1} {$i <= $itemcount} {incr i} {

  gp_form -extend -name homepage_edit -form "
    {title_$i:text {label {Title $i}}}
    {image_$i:gp_image,multiple {label {Image $i}}}
  "

I do think the safest might be to subst the element name/type decl as well as the attr portion so we can have both dynamic names and types.

Is there any problem with this that anyone can think of?  I wasn't thinking of using ad_form for dynamic forms when I wrote it, it began as an experiment to rapidly create form handling pages when I was writing a bunch of code for Greenpeace.

But clearly being able to create truly dynamic forms is a real plus.