- allow comma seperated list of modules, and each is recognised in values
- auto import stuff in values as deep as imports will go
- create a subclass in mymodule of Button whose sole purpose
is to call wx.Button but at least Button and the ID will be
in the same module
Are there any plans to implement any of these, or any of the particular
mechanisms "blessed" more than others?
If you can do this without exec and eval then I'll make the change.
Hint: you might try reusing _my_import in the same module, adapting it
to be able to optionally ignore the last component of the name. Then
just call it to get the module and then return getattr(module,
lastComponentOfName)
That won't work as you don't know where the module name ends. For example most of my constants are static members of a class:
class Foo:
ID_DELETE=wx.NewId()
So the tag is module.Foo.ID_DELETE
I even have some nested classes where the class is a composite of
other widgets.
class WallpaperDisplay:
class Preview:
ID_ZOOM_IN=wx.NewId()
So the tag then is module.WallpaperDisplay.Preview.ID_ZOOM
It may be possible to try and rejig the code, doing inspection
after each dot, but I don't think it would be much of an
improvement.
But it would be safer, you would be less likely to execute malicious code. Perhaps it could be done by __import__'ing as far down the chain, and then using getattrs after that.
···
--
Robin Dunn
Software Craftsman http://wxPython.org Java give you jitters? Relax with wxPython!
But it would be safer, you would be less likely to execute malicious
code. Perhaps it could be done by __import__'ing as far down the chain,
and then using getattrs after that.
Probably, but the code gets longer and more convoluted.
I did initially consider the security angle until I realised that the
existing system is insecure anyway. Being able to instantiate
any class from any module from HTML is 100% insecure for externally
sourced HTML. Changing the code I had is like shutting a newly opened
window while ignoring the wide open door.
If it is wxpTag intended to be secure then a lot more thought and design
needs to go into the whole design and implementation.
But it would be safer, you would be less likely to execute malicious
code. Perhaps it could be done by __import__'ing as far down the chain,
and then using getattrs after that.
Probably, but the code gets longer and more convoluted.
I did initially consider the security angle until I realised that the
existing system is insecure anyway. Being able to instantiate
any class from any module from HTML is 100% insecure for externally
sourced HTML. Changing the code I had is like shutting a newly opened
window while ignoring the wide open door.
If it is wxpTag intended to be secure then a lot more thought and design needs to go into the whole design and implementation.
No, it wasn't intended to be so, but neither does it make sense to make it worse. Using exec/eval on the raw text out of the html IMO is just asking for problems since even simple typos will be executed and would be hard to find intemingled in the html. Forcing imports and attribute lookups instead, while still insecure, would seem to me to be less prone to simple mistakes causing problems.
···
--
Robin Dunn
Software Craftsman http://wxPython.org Java give you jitters? Relax with wxPython!