Should (some) builtins become legal path expressions?

[d-maurer]

In "plone/Products.CMFPlone#3135 (comment)"
@vincentfretin asks whether tal:omit-tag="True" can again become legal.

With Zope, the default TALES expression type is path and according to the Zope Book any path expression starts with a "variable" defined as either a predefined variable (such as nothing, default, context, ...) or a variable defined by the template. According to this specification, True is not a valid path expression -- and is rejected.

The former chameleon.tales based TALES implementation was less strict: a path expression did not need to start with a variable, some builtins ( I do not yet know the precise set - but it included True and False) and internals (that included default) were allowed as well.
And what is allowed and fairly natural (like the tal:omit-tag=True) has a good chance to have been used somewhere. And those places break now with the stricter requirements on path expressions.

Should we relax the requirements on path expressions (and thus make expressions like the above legal)?

Should we support as leading element of a path expression beside a variable
only a small set of builtins (including True and False) or any legal builtin (i.e. any Python builtin for a trusted engine and any AccessControl.safe_builtins for a untrusted engine)?

[dataflake]

If it's not too much work then anything that makes "pure" Chameleon and our version more similar is a win as long as security isn't affected negatively.

[dataflake]

Fixed in 0e55a38 and just waiting for PyPI access to publish release 5.1

[dataflake]

zope.tales 5.1 is now published and the version pins for Zope 4.x and master have been updated to use it.

[dataflake]

The Zope bits are on 4.x (zopefoundation/Zope@400947d) and master (zopefoundation/Zope@2abe4eb) now.