On 03/01/2011 06:48 AM, Malthe Borch wrote:
On 1 March 2011 14:19, Chris Withers<ch...@simplistix.co.uk> wrote:
So, it's quoting the tags but not the entities. Bug, no?
Yes, it certainly seems so.
I hope this isn't a XSS hole. I can't think of a way to add a <script>
tag to a page using this method, but maybe someone else can.
Can we expect a 1.3.x release that fixes this, or is 2.0 the only way
forward? I'm seeing some regressions in 2.0, like the fact that "|" in
expressions doesn't seem to be supported anymore. (I need to replace
those anyway, so I'm not complaining--they are greedy exception handlers.)
Repoze-dev mailing list