Squishdot <squishdot@yahoo.com> wrote
Hi all,
CERT has issued a security advisory regarding improperly checked output from dynamic pages.
The CERT advisory can be found at:
http://www.cert.org/advisories/CA-2000-02.html.
Unfortunately, Squishdot is vulnerable to such problems. However, I (and others in the Zope community) am trying to find a permanent solution to this. Of course, your help is also welcome (code patches accepted :^))
While each site (e.g. depending on the audience, accessibility, amount of traffic) is vulnerable in varying degrees to these types of problems, I would urge each administrator to evaluate their own security policies regarding these problems and take steps appropriate for their own circumstances.
In the meantime -- temporarily -- the best way to deal with the problem is to turn moderation on for everything, and then properly check each posting manually.
Regards,
Butch
What we need is a handy-dandy-clean-up-user-submitted-HTM-to-take-home-to-Mama function, coded in Python. It would need to strip out / quote ANY "unapproved" tags (for structured text, would it be enough just to quote "&", "<", and ">"?). The list of allowable tags might be passed in as a list, but a first cut could just hardcode "[ 'em', 'strong', 'ul', 'ol', 'li', 'dl', 'dt', 'dd' ]" (or whatever) and be fine. Anyone feel inspired to write it? -- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com