Zope Help

TALES Python expressions

Syntax

Python expression syntax:

      Any valid Python language expression

Description

Python expressions evaluate Python code in a security-restricted environment. Python expressions offer the same facilities as those available in Python-based Scripts and DTML variable expressions.

Security Restrictions

Python expressions are subject to the same security restrictions as Python-based scripts. These restrictions include:

access limits: Python expressions are subject to Zope permission and role security restrictions. In addition, expressions cannot access objects whose names begin with underscore.
write limits: Python expressions cannot change attributes of Zope objects.

Despite these limits malicious Python expressions can cause problems. See The Zope Book for more information.

Built-in Functions

Python expressions have the same built-ins as Python-based Scripts with a few additions.

These standard Python built-ins are available: None, abs, apply, callable, chr, cmp, complex, delattr, divmod, filter, float, getattr, hash, hex, int, isinstance, issubclass, list, len, long, map, max, min, oct, ord, repr, round, setattr, str, tuple.

The range and pow functions are available and work the same way they do in standard Python; however, they are limited to keep them from generating very large numbers and sequences. This limitation helps protect against denial of service attacks.

In addition, these utility functions are available: DateTime, test, and same_type. See DTML functions for more information on these functions.

Finally, these functions are available in Python expressions, but not in Python-based scripts:

path(string): Evaluate a TALES path expression.
string(string): Evaluate a TALES string expression.
exists(string): Evaluates a TALES exists expression.
nocall(string): Evaluates a TALES nocall expression.

Python Modules

A number of Python modules are available by default. You can make more modules available. You can access modules either via path expressions (for example modules/string/join) or in Python with the modules mapping object (for example modules["string"].join). Here are the default modules:

string: The standard Python string module. Note: most of the functions in the module are also available as methods on string objects.
random: The standard Python random module.
math: The standard Python math module.
sequence: A module with a powerful sorting function. See sequence for more information.
Products.PythonScripts.standard: Various HTML formatting functions available in DTML. See Products.PythonScripts.standard for more information.
ZTUtils: Batch processing facilities similar to those offered by dtml-in. See ZTUtils for more information.
AccessControl: Security and access checking facilities. See AccessControl for more information.

Examples

Using a module usage (pick a random choice from a list):

      <span tal:replace="python:modules['random'].choice(['one', 
                           'two', 'three', 'four', 'five'])">
        a random number between one and five
      </span>

String processing (capitalize the user name):

      <p tal:content="python:user.getUserName().capitalize()">
        User Name
      </p>

Basic math (convert an image size to megabytes):

      <p tal:content="python:image.getSize() / 1048576.0">
        12.2323
      </p>

String formatting (format a float to two decimal places):

      <p tal:content="python:'%0.2f' % size">
        13.56
      </p>