CERT has released a fairly dire advisory on the dangers of dynamic page generation when coupled with untrusted content submission: http://www.cert.org/advisories/CA-2000-02.html Anyone care to comment on Zope's vunlerability here? For instance, the ZGotW site allows submissions in structured text, plain text, and HTML -- but now I am probably going to htmlquote() the last, which kills a lot of the point of it, no? The key issue lies in embedding <SCRIPT>...</SCRIPT> chunks (or their immoral equivalents, <OBJECT>, <EMBED>, and <APPLET>). Consider, for instance, those nasty pop-up windows launched by some "free" webspace providers; then consider what happens in Squishdot, ZGotW, or any other site which permits users to enter arbitrary HTML as part of the feedback/collaboration process. Not a pretty scene! Tres. -- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com