Forum OpenACS Development: Auto-localization of variables

Collapse
Posted by Daniël Mantione on
Hi,

By default OpenACS localizes variables. I don't know what the reason was to do it, but it makes it possible to crash about any package by including a locale string that needs a variable. See my previous bboard message for a demonstration.

Is it really a good idea to localize all variables by default?

Collapse
Posted by Daniël Mantione on
Not everybody at once, please :)

Seriously, I think it is a big problem that any user can break any page he can make a string appear.

Collapse
Posted by Malte Sussdorff on
Interesting. I think we might want to prohibit using language keys upon input of data by the user (probably an additional check for the valid input strings). I know that we rely heavily in the fact that OpenACS I18N everything by default, so if this behaviour was changed we would be in deep trouble.

Alternatively we could try to add something like ;nolocalize to variable, preventing them from being localized.

Collapse
Posted by Daniël Mantione on
Bug report:

https://openacs.org/bugtracker/openacs/bug?bug%5fnumber=2692

In my humble opinion, just as it is a good idea to quote html by default and require noquote to prevent quoting; it is a bad idea to auto localize variables, it shouldn't be so troublesome to do [_ message_string], which is done in most packages.

Collapse
Posted by Dave Bauer on
Perhaps we need two types or localization.

One with variable replacement and one without. The variable replacement is the problem. I can't see any reason to substitute variables inside message keys in a form posting.

I think it makes more sense to replace the varaibles you know need replacing in the Tcl datasource. Perhaps it was a mistake to auto-localize variables. This also puts a large amount of uneeded processing on most variables. User entered data generally does not include message keys, ie: forum postings, CMS content, etc.