On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > The risk for breakage is very small really
> 
> Your choice of '<' and html_quote suggests that my dtml code which generates 
> javascript and vbscript carries a higher risk than dtml which generates html.

Only if you generated that script using data from the REQUEST, implicitly.
Which was bad in the first place.

> >, and breakage
> > will generally only occur when someone is trying to exploit the weakness,
> > not in normal operation of the site.
> 
> The fact that your change uses html_quote to 'fix' the problem rather than 
> sounding 'hacker alert' alarm bells suggests to me that you dont really 
> believe that ;-)

Again, the wide scope of DTML use would make such bells warble prematurely
all too often. The normal, recommended fix for the general weakness is to
always use HTML quote.

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to