Tres Seaver wrote:

Alan Milligan wrote:

In addition to this problem, someone has changed manage_form_title.dtml and caused me grief!

The <dtml-var title> tag has been changed to <&dtml-title;>

This causes an implicit html-quote to now be performed which means that my <img> tag, inserted to display the product's icon to more strongly associate what is being created, now just writes the html into the title line.

Since nothing was broken in the first place, how about backing out this change.

That change is one of a number which are designed to prevent cross-site scripting attacks; DTML is particularly vulnerable to such cracks, as it doesn't force the template writer to choose the source from which the name will be bound.

Your scenario is actually quite close to the posited attack: imagine that user 'black_hat' inserts a document whose title has nasty javascript in an 'onload' attribute of a tag; such javascript can be used, for instance, to steal cookies, to post to 'manage_shutdown', etc.



Who are we trying to protect ourselves from?? Any Zope product is automatically supposed to be 'trusted' by virtue of being written to the Products directory. Surely protecting ourselves from malicous product developers is not within the bounds of the existing product framework. Given I've written the dtml in the first place, I could write my cookie stealer *anywhere* in my dtml.

Whenever we install software on a networked device, we have to assess the security risks against the perceived benefit of the software's functionality. Installation of a Zope product is not without risk, especially if the author is not known. As you are suggesting, installing a Zope product could not only attack our system, but that of any hosted website user, so there are many stakeholders interested in security assurance.

This is the lamest excuse I could imagine for justifying this change.

Cheers, Alan

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to