Isn't this an issue because all of these quasi-private methods have a document string and are hence callable via an http request? If we were to remove the doc string from manage_form_title (ie via rewriting this as a python method which delegates to the underlying DTML (made private)), then this method would then render itself callable only via DTML/ZPT etc wouldn't it???
Shane Hathaway wrote:
On Fri, 16 Jan 2004, Alan Milligan wrote:
Tres Seaver wrote:
That change is one of a number which are designed to prevent cross-site scripting attacks; DTML is particularly vulnerable to such cracks, as it doesn't force the template writer to choose the source from which the name will be bound.Wooahh
Who are we trying to protect ourselves from??
We are protecting ourselves from nasty URLs written by anyone on the web. Because DTML is so implicit, it is conceivable that an URL like the following might kill your site (or worse!):
For a black hat to exploit your site, he only needs to convince you to
follow the link. This is what is known as a cross-site scripting bug and
it's a widespread problem for all dynamic web servers like Zope. People
are really concerned about it. The only cure is to HTML-quote by default. FWIW:
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce