Aargh, 
I sent that first to [EMAIL PROTECTED] ...

>>         Hello message board. This is a message.
>>                <SCRIPT>malicious code</SCRIPT>
>>         This is the end of my message.

> I don't really see your point other than a carelessly implemented app may
> expose these kind of vulnerabilities. Python (and hence Zope) has a
> library
> for stripping out this sort of malicious HTML.

> Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this
> can be used.

umm chris,

you're right, but this example

http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>

executes the script. I don't exactly see why/where but I feel 
this really shouldn't happen. As I see it, it's more a problem 
of zope's standard_error page, which constructs links to the 
classic zope site. I don't see a zope-specific bug here, too.

cheers,
oliver



_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to