What does this have to do with Zope? Its down to an individual application. ----- Original Message ----- From: "ALife" <buginfo@inbox.ru> To: <Zope-Dev@zope.org> Sent: Sunday, September 23, 2001 10:23 AM Subject: [Zope-dev] New: Cross Site Scripting vulnerability
Example:
http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT> http://www.zope.org/lalalalal<SCRIPT>alert(document.domain)</SCRIPT> http://www.zope.org/<SCRIPT>alert(document.cookie)</SCRIPT>
For example, an attacker might post a message like
Hello message board. This is a message. <SCRIPT>malicious code</SCRIPT> This is the end of my message.
When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>.
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )