Alan Milligan wrote:
In addition to this problem, someone has changed manage_form_title.dtml and caused me grief!

The <dtml-var title> tag has been changed to <&dtml-title;>

This causes an implicit html-quote to now be performed which means that my <img> tag, inserted to display the product's icon to more strongly associate what is being created, now just writes the html into the title line.

Since nothing was broken in the first place, how about backing out this change.

That change is one of a number which are designed to prevent cross-site scripting attacks; DTML is particularly vulnerable to such cracks, as it doesn't force the template writer to choose the source from which the name will be bound.

Your scenario is actually quite close to the posited attack: imagine that user 'black_hat' inserts a document whose title has nasty javascript in an 'onload' attribute of a tag; such javascript can be used, for instance, to steal cookies, to post to 'manage_shutdown', etc.

Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to