On 03/01/2011 06:48 AM, Malthe Borch wrote:
On 1 March 2011 14:19, Chris Withers<ch...@simplistix.co.uk>  wrote:
So, it's quoting the tags but not the entities. Bug, no?

Yes, it certainly seems so.

I hope this isn't a XSS hole. I can't think of a way to add a <script> tag to a page using this method, but maybe someone else can.

Can we expect a 1.3.x release that fixes this, or is 2.0 the only way forward? I'm seeing some regressions in 2.0, like the fact that "|" in expressions doesn't seem to be supported anymore. (I need to replace those anyway, so I'm not complaining--they are greedy exception handlers.)

Repoze-dev mailing list

Reply via email to