On Wed, 2 Feb 2000 [EMAIL PROTECTED] wrote: > A web site may inadvertently include malicious HTML tags or script in > a dynamically generated page based on unvalidated input from > untrustworthy sources. This can be a problem when a web server does > not adequately ensure that generated pages are properly encoded to > prevent unintended execution of scripts, and when input is not > validated to prevent malicious HTML from being presented to the user. > > Advisory may be found at: > http://www.cert.org/advisories/CA-2000-02.html > > Should we react to this with respect to the Squeak Swiki regarding > <SCRIPT> tags? I'm not sure. It's not only script tags. It would prevent swiki authors to put "active content" into a page. OTOH Swikis are mostly about text and images. BTW, the vulnerability occurs in the strangest places - copy this link to your browser: http://minnow.cc.gatech.edu/<SCRIPT>alert("EVIL")</SCRIPT> and look at the page source code. Now this one is trivial to fix (SwikiAdmins: insert "XmlSwikiPage toXml format: ..." into */actions/url.*), but still ... -Bert-
