On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:

> Whithout the fix, virtually every Zope site in the world is vulnerable
> to URL-based cross-site scripting exploits.  For instance, any URL which
> contains invalid form variable marshalling can generate an error page
> which includes the erroneous value, unquoted.  E.g.:
> <URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer

Do you plan to fix this bug?

Or, with the autoquoting changes, is this to be reclassified as 'not a bug'?

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to