On Wed, Aug 14, 2002 at 04:25:09PM -0400, Brian Lloyd wrote:
So here's what we'll do. Zope 2.6 will include the string tainting
changes, enabled by default. The tainting can be turned off by
providing an environment variable.
The next Zope 2.5.x release will contain the tainting code, but
Like I said before, this is probably a good feature. If it was
available as a
patch then I would probably use it on a number of my sites, and would
recommend it to others. I would be very happy see it (or
something like it)
in 2.7.
But not 2.6.
Then Jim wrote:
WRT to this change,
On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:
Whithout the fix, virtually every Zope site in the world is vulnerable
to URL-based cross-site scripting exploits. For instance, any URL which
contains invalid form variable marshalling can generate an error page
which includes the erroneous
On Mon, Aug 12, 2002 at 03:51:24PM +0100, Toby Dickenson wrote:
On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:
Whithout the fix, virtually every Zope site in the world is vulnerable
to URL-based cross-site scripting exploits. For instance, any URL which
contains invalid form variable
Jeffrey P Shell wrote:
On 8/9/02 8:43 AM, Toby Dickenson [EMAIL PROTECTED]
wrote:
...
Like I said before, this is probably a good feature. If it was available as a
patch then I would probably use it on a number of my sites, and would
recommend it to others. I would be very happy see it (or
On Thursday 08 Aug 2002 9:29 pm, Martijn Pieters wrote:
On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote:
I am about to land some big changes in the way DTML deals with data
taken from the REQUEST object when accessed implicitly, in both the
Zope Trunk and the Zope 2.5
On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
The risk for breakage is very small really
Your choice of '' and html_quote suggests that my dtml code which generates
javascript and vbscript carries a higher risk than dtml which generates html.
Only if you generated that
On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote:
On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
The risk for breakage is very small really
Your choice of '' and html_quote suggests that my dtml code which
generates javascript and vbscript carries a higher risk than
On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote:
I am about to land some big changes in the way DTML deals with data
taken from the REQUEST object when accessed implicitly, in both the Zope
Trunk and the Zope 2.5 branch.
In my opinion this change is completely unacceptable
The way I see it is this:
ZPT has (amongst others) the very nice property that it's trivial to
audit ZPT pages for non-quoted string output: just grep for 'structure'.
OTOH in DTML there's no way to do that, the default is unquoted output.
dtml-stuff; is a good step, but there's way too much
Likewise Im trying to digest all that and Im a little suprised. More magic
in DTML? Not something I'd vote for normally.
Im a little confused why this is suddenly an issue, yeah so we pull a string
out of the REQUEST and thanks to DTML stack we may not know where it came
from. Well thats always
On Fri, Aug 02, 2002 at 08:55:13AM -0700, Andy McKay wrote:
Likewise Im trying to digest all that and Im a little suprised. More magic
in DTML? Not something I'd vote for normally.
Im a little confused why this is suddenly an issue, yeah so we pull a string
out of the REQUEST and thanks to
Hi folks,
I am about to land some big changes in the way DTML deals with data taken
from the REQUEST object when accessed implicitly, in both the Zope Trunk
and the Zope 2.5 branch. These changes could potentially break existing
Zope sites.
Without these changes, Zope is somewhat vulnerable to
13 matches
Mail list logo
