Re: [Zope-dev] New: Cross Site Scripting vulnerability
Hello message board. This is a message. <SCRIPT>malicious code</SCRIPT> This is the end of my message.
I don't really see your point other than a carelessly implemented app may expose these kind of vulnerabilities. Python (and hence Zope) has a library for stripping out this sort of malicious HTML.
Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this can be used.
umm chris, you're right, but this example http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT> executes the script. I don't exactly see why/where but I feel this really shouldn't happen. As I see it, it's more a problem of zope's standard_error page, which constructs links to the classic zope site. I don't see a zope-specific bug here, too. cheers, oliver
On Sun, 2001-09-23 at 15:17, Oliver Bleutgen wrote:
Hello message board. This is a message. <SCRIPT>malicious code</SCRIPT> This is the end of my message.
I don't really see your point other than a carelessly implemented app may expose these kind of vulnerabilities. Python (and hence Zope) has a library for stripping out this sort of malicious HTML.
Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this can be used.
umm chris,
you're right, but this example
http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>
executes the script. I don't exactly see why/where but I feel
Perhaps it is a browser thing? It isn't being executed by Galeon. Bill
[Bill Anderson]
umm chris,
you're right, but this example
http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>
executes the script. I don't exactly see why/where but I feel
Perhaps it is a browser thing? It isn't being executed by Galeon.
Bill
Pasting that URL into IE and Netscape 4.73 in Win2000 didn't execute it either. Tom P
participants (3)
-
Bill Anderson -
Oliver Bleutgen -
Thomas B. Passin