At 01:39 PM 2/27/2003, Jamie Heilman wrote:
Pragmatically this is the same as HTML quoting. (Thats not always the case unfortunately.)
Could you offer an example where &dtml-some_var; returns something different from <dtml-var some_var html_quote>?
Cache poisoning is a big problem with Zope.
I read your post on VHM exploits a couple weeks ago. Is this the scope of the problem? Is the problem solved by using a proxy cache to drop any requests that contain the magic VHM-related strings? Or does it go deeper? Also, how does using &dtml-URL1; do anything to guard against this? Won't URL1 resolve to what follows VirtualHostBase in either syntax? Limited testing suggests that this is the case... but maybe I'm not being clever enough? I've got a HOWTO that includes information on virtual hosting... I'll be sure to add this information and any other advice or insight you're able to offer. Thanks, Dylan