[Zope-dev] New: Cross Site Scripting vulnerability

Oliver Bleutgen Oliver Bleutgen <myzope@gmx.net>
Sun, 23 Sep 2001 23:19:49 +0200


Aargh, 
I sent that first to zope@zope.org ...

>>         Hello message board. This is a message.
>>                <SCRIPT>malicious code</SCRIPT>
>>         This is the end of my message.

> I don't really see your point other than a carelessly implemented app may
> expose these kind of vulnerabilities. Python (and hence Zope) has a
> library
> for stripping out this sort of malicious HTML.

> Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this
> can be used.

umm chris,

you're right, but this example

http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>

executes the script. I don't exactly see why/where but I feel 
this really shouldn't happen. As I see it, it's more a problem 
of zope's standard_error page, which constructs links to the 
classic zope site. I don't see a zope-specific bug here, too.

cheers,
oliver