On Thu, Mar 13, 2003 at 06:11:32PM +0100, Florent Guillaume wrote:
> In article <[EMAIL PROTECTED]> you write:
> > - Cross-scripting issues:
> > I guess that some of those are still in the Zope Management Interface
> > (which is not meant to be used by untrusted users in most cases), but
> > Zope offers a lot of tools to make sure that it is hard to post
> > malicious code in forums, attack Zope via URLs etc.
> I've worked had to remove all those in the DTML code. I've not audited
> the rest of the python code that generates HTML directly (code that
> should be taken out and shot), but I think there are patches for those
> in the collector.
And Florent's patches came on top of my DTML pro-active anti-HTML-from-
REQUEST-sourced-data changes that cause all outside strings to be HTML
quoted if they could *possibly* be used to construct HTML tags.
Some of my changes included taking out some of the directly-HTML-generating
python code to be shot without trial.
| Software Engineer mailto:[EMAIL PROTECTED]
| Zope Corporation http://www.zope.com/
| Creators of Zope http://www.zope.org/
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -