On Mon, Aug 12, 2002 at 03:51:24PM +0100, Toby Dickenson wrote:
On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:
Whithout the fix, virtually every Zope site in the world is vulnerable to URL-based cross-site scripting exploits. For instance, any URL which contains invalid form variable marshalling can generate an error page which includes the erroneous value, unquoted. E.g.:
<URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer t('Owned')%3C/script%3E>
Do you plan to fix this bug?
Or, with the autoquoting changes, is this to be reclassified as 'not a bug'?
Together with the autoquoting changes, I tightened Exception messages; data from REQUEST is quoted where I could reasonably suspect REQUEST data was used. -- Martijn Pieters | Software Engineer mailto:mj@zope.com | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ ---------------------------------------------