On Mon, Aug 12, 2002 at 03:51:24PM +0100, Toby Dickenson wrote:
> On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:
> 
> > Whithout the fix, virtually every Zope site in the world is vulnerable
> > to URL-based cross-site scripting exploits.  For instance, any URL which
> > contains invalid form variable marshalling can generate an error page
> > which includes the erroneous value, unquoted.  E.g.:
> >
> > <URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer
> >t('Owned')%3C/script%3E>
> 
> Do you plan to fix this bug?
> 
> Or, with the autoquoting changes, is this to be reclassified as 'not a bug'?

Together with the autoquoting changes, I tightened Exception messages; data
from REQUEST is quoted where I could reasonably suspect REQUEST data was
used.

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to