Forum OpenACS Development: Response to Flaw/Bug in Forum Message Posting
I would rather not see a forced security filtering of everything coming through user feedback through the rp. There are times when allhtml should be allowed (edit-this-page comes to mind, as well as admin pages). The tools already exists to do proper validation, as developers, we just need to be sure to use them.
I have thought for a long time that it would be useful to be able to use the ad_page_contract filters outside of the ad_page_contract block of code. There have been many times that I have needed to bring variables in that I won't known the names of until the proc is used. In these instances I've relied on the trusty ns_queryget, which does no kind of validation or :trim, etc. At one time I tried to see how such a proc could be constructed, but gave up for lack of time. I envision such a proc taking all the arguments of the -query section of ad_page_contract and grabbing the appropriate query variable and setting them up locally. Possibly like:
set varname [lindex $list_of_vars 0] ad_queryget_vars $varname:trim
I know I would find such a proc very useful.