Forum OpenACS Q&A: Re: Security hole in ad_form (may change behavior of ad_form to fix!)
how does ad_form know which data being passed is a user string not to be interpreted, developer data not to be interpreted, and developer data *to be* interpreted?
in the news instance, is it ad_form's job to know not to interpret "[open|closed]", or is should it be escaped before it ever gets there?
Well subst is being called for a purpose. The question seems to be if ad_form is being fed the correct information. ad_form cannot know, and should not care where the string came from. At least that is what I am guessing.