On Thu, Mar 13, 2003 at 06:11:32PM +0100, Florent Guillaume wrote:
> In article <[EMAIL PROTECTED]> you write:
> > - Cross-scripting issues:
> > 
> > I guess that some of those are still in the Zope Management Interface 
> > (which is not meant to be used by untrusted users in most cases), but 
> > Zope offers a lot of tools to make sure that it is hard to post 
> > malicious code in forums, attack Zope via URLs etc.
> I've worked had to remove all those in the DTML code. I've not audited
> the rest of the python code that generates HTML directly (code that
> should be taken out and shot), but I think there are patches for those
> in the collector.

And Florent's patches came on top of my DTML pro-active anti-HTML-from-
REQUEST-sourced-data changes that cause all outside strings to be HTML
quoted if they could *possibly* be used to construct HTML tags.

Some of my changes included taking out some of the directly-HTML-generating
python code to be shot without trial.

Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to