Evan Simpson wrote:
----- Original Message ----- From: Squishdot <squishdot@yahoo.com>
tres seaver <tseave-@palladion.com> wrote:
The key issue lies in embedding <SCRIPT>...</SCRIPT> chunks (or their immoral equivalents, <OBJECT>, <EMBED>, and <APPLET>).
Yes, I've been reading up on it as well. I'll be studying this issue as well WRT to Squishdot. I would probably need to add some validation to Squishdot to filter out these *malicious tags* -- if anyone in the Zope/Squishdot has ideas/code to fix this, please contact me ASAP.
Slashdot.org has had to deal with this issue for quite some time, and is high-profile enough to attract many *cough* security testers *cough*. They forbid anything not on a short list of harmless tags.
Hoever, as demonstrated in the thread on Slashdot, if you don't convert '%nn' style characters to their actual values, malicious code can get through. Cheers... Bruce -- Bruce Elrick, Ph.D. Saltus Technology Consulting Group Personal: belrick@home.com IBM Certified Specialist Business: belrick@saltus.ab.ca ADSM, AIX Support, RS/6000 SP, HACMP