On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
The risk for breakage is very small really
Your choice of '<' and html_quote suggests that my dtml code which generates javascript and vbscript carries a higher risk than dtml which generates html.
Only if you generated that script using data from the REQUEST, implicitly. Which was bad in the first place.
, and breakage will generally only occur when someone is trying to exploit the weakness, not in normal operation of the site.
The fact that your change uses html_quote to 'fix' the problem rather than sounding 'hacker alert' alarm bells suggests to me that you dont really believe that ;-)
Again, the wide scope of DTML use would make such bells warble prematurely all too often. The normal, recommended fix for the general weakness is to always use HTML quote. -- Martijn Pieters | Software Engineer mailto:mj@zope.com | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ ---------------------------------------------