Index: openacs-4/packages/acs-tcl/tcl/deprecated-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/deprecated-procs.tcl,v diff -u -r1.29.2.24 -r1.29.2.25 --- openacs-4/packages/acs-tcl/tcl/deprecated-procs.tcl 13 Jul 2022 09:54:32 -0000 1.29.2.24 +++ openacs-4/packages/acs-tcl/tcl/deprecated-procs.tcl 23 Aug 2022 18:44:55 -0000 1.29.2.25 @@ -3300,19 +3300,20 @@ back from the users if the form looked like - and + <input type=text name=yow> and + <input type=text name=bar> then after you run this function you'll have Tcl vars $foo and $bar set to whatever the user typed in the form - +

this uses the initially nauseating but ultimately delicious Tcl system function "uplevel" that lets a subroutine bash the environment and local vars of its caller. It ain't Common Lisp... - +

This is an ad-hoc check to make sure users aren't trying to pass in "naughty" form variables in an effort to hack the database by passing in SQL. It is called in all instances where a Tcl variable is set from a form variable. - +

Checks the given variable for against known form variable exploits. If it finds anything objectionable, it throws an error. } {