Hello message board. This is a message. <SCRIPT>malicious code</SCRIPT> This is the end of my message.
I don't really see your point other than a carelessly implemented app may expose these kind of vulnerabilities. Python (and hence Zope) has a library for stripping out this sort of malicious HTML.
Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this can be used.
umm chris, you're right, but this example http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT> executes the script. I don't exactly see why/where but I feel this really shouldn't happen. As I see it, it's more a problem of zope's standard_error page, which constructs links to the classic zope site. I don't see a zope-specific bug here, too. cheers, oliver