On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote:
> On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > > The risk for breakage is very small really
> >
> > Your choice of '<' and html_quote suggests that my dtml code which
> > generates javascript and vbscript carries a higher risk than dtml which
> > generates html.
> Only if you generated that script using data from the REQUEST, implicitly.


> Which was bad in the first place.

I agree it is true in most cases, but not all. Have you analysed how many 
applications will be broken by this? how they can detect the breakage? I 
certainly will not have time to assess the implications on my applications 
before the scheduled release of 2.6.

> > >, and breakage
> > > will generally only occur when someone is trying to exploit the
> > > weakness, not in normal operation of the site.
> >
> > The fact that your change uses html_quote to 'fix' the problem rather
> > than sounding 'hacker alert' alarm bells suggests to me that you dont
> > really believe that ;-)
> Again, the wide scope of DTML use would make such bells warble prematurely
> all too often.

'all too often' also contradicts your statements that this will not happen in 
normal operation of the site, and that the risk of breakage is 'very small'.

Like I said before, this is probably a good feature. If it was available as a 
patch then I would probably use it on a number of my sites, and would 
recommend it to others. I would be very happy see it (or something like it) 
in 2.7.

But not 2.6.

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to