[Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
Martijn Pieters
mj@zope.com
Mon, 12 Aug 2002 10:57:38 -0400
On Mon, Aug 12, 2002 at 03:51:24PM +0100, Toby Dickenson wrote:
> On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:
>
> > Whithout the fix, virtually every Zope site in the world is vulnerable
> > to URL-based cross-site scripting exploits. For instance, any URL which
> > contains invalid form variable marshalling can generate an error page
> > which includes the erroneous value, unquoted. E.g.:
> >
> > <URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer
> >t('Owned')%3C/script%3E>
>
> Do you plan to fix this bug?
>
> Or, with the autoquoting changes, is this to be reclassified as 'not a bug'?
Together with the autoquoting changes, I tightened Exception messages; data
from REQUEST is quoted where I could reasonably suspect REQUEST data was
used.
--
Martijn Pieters
| Software Engineer mailto:mj@zope.com
| Zope Corporation http://www.zope.com/
| Creators of Zope http://www.zope.org/
---------------------------------------------