12 Aug
2002
12 Aug
'02
2:51 p.m.
On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:
Whithout the fix, virtually every Zope site in the world is vulnerable to URL-based cross-site scripting exploits. For instance, any URL which contains invalid form variable marshalling can generate an error page which includes the erroneous value, unquoted. E.g.:
<URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer t('Owned')%3C/script%3E>
Do you plan to fix this bug? Or, with the autoquoting changes, is this to be reclassified as 'not a bug'?