JSONFormField should absolutely not be eval-ing user-supplied content.

Question

fletom opened this issue 11 years ago · comments

Think hiding __builtins__ helps? Nope.

(x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings').next()()._module.__builtins__

Derek Schaefer · Answer 1 · Fri Feb 15 2013 00:32:12 GMT+0800 (China Standard Time)

Good point, that should certainly be disabled by default. Will commit shortly.