Ok, what happens is this:
In order to let you declare your forms nicely with curly braces instead of having to use [list] and put backslashes at the end of each line, while still building a dynamic form, ad_form performs a [subst] on the right-hand side of, I believe, all its arguments.
For example in:
{label $my_label}
The literal string "$my_label" will get an [uplevel subst ...] performed on it by ad_form.
Thus if you let users contribute the content that goes on that right-hand side, they can potentially sneak in something that contains [evil_code] and evil_code will get executed.
However, if the local variable my_label above contains the literal string [evil_code], there'll be no problem, since it'll only get subst'ed once, replacing the literal string "$my_label" with the value of the my_label local variable, the literal string "[evil_code]".
The problem occurs when you construct a Tcl list in a local variable like this:
set elms [list]
foreach ... {
lappend elms [list $name:text [list label $label]]
}
In this case, if the local variable "label" happens to contain $'s or ['s, stuff will get evaluated.
I think a safe solution is to do it like this instead:
foreach ... {
ad_form -extend -name my_form -form {
$name:text {label $label}
}
}
Hm. Actually, on second thought, this WILL NOT work, because ad_form does NOT do a subst on the first part ($name:text) where you declare your widget and its name. But if it did, the above would work and be safe.
/Lars
