[Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

Toby Dickenson tdickenson@geminidataloggers.com
Mon, 12 Aug 2002 15:51:24 +0100


On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:

> Whithout the fix, virtually every Zope site in the world is vulnerable
> to URL-based cross-site scripting exploits.  For instance, any URL whic=
h
> contains invalid form variable marshalling can generate an error page
> which includes the erroneous value, unquoted.  E.g.:
>
> <URL:http://somezopesite.com/looks/like/legitimate?foo:int=3D%3Cscript%=
3Ealer
>t('Owned')%3C/script%3E>

Do you plan to fix this bug?

Or, with the autoquoting changes, is this to be reclassified as 'not a bu=
g'?