Forum OpenACS Q&A: Re: Security hole in ad_form (may change behavior of ad_form to fix!)

When I wrote ad_form, my intention was that dynamic forms be built using -extend, so I personally prefer Lars's solution - do a subst on the form element name/type definition as well as its attributes.

Are there any objections to this?  It would only break existing code if folks named their forms using "$" or "[]", which I would describe as bad coding practice anyway.