On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote: > Whithout the fix, virtually every Zope site in the world is vulnerable > to URL-based cross-site scripting exploits. For instance, any URL which > contains invalid form variable marshalling can generate an error page > which includes the erroneous value, unquoted. E.g.: > > <URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer >t('Owned')%3C/script%3E>
Do you plan to fix this bug? Or, with the autoquoting changes, is this to be reclassified as 'not a bug'? _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )