On Thu, Mar 13, 2003 at 06:11:32PM +0100, Florent Guillaume wrote: > In article <[EMAIL PROTECTED]> you write: > > - Cross-scripting issues: > > > > I guess that some of those are still in the Zope Management Interface > > (which is not meant to be used by untrusted users in most cases), but > > Zope offers a lot of tools to make sure that it is hard to post > > malicious code in forums, attack Zope via URLs etc. > > I've worked had to remove all those in the DTML code. I've not audited > the rest of the python code that generates HTML directly (code that > should be taken out and shot), but I think there are patches for those > in the collector.
And Florent's patches came on top of my DTML pro-active anti-HTML-from- REQUEST-sourced-data changes that cause all outside strings to be HTML quoted if they could *possibly* be used to construct HTML tags. Some of my changes included taking out some of the directly-HTML-generating python code to be shot without trial. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ --------------------------------------------- _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
