[Zope-dev] How (in)secure is Zope?

Florent Guillaume fg@nuxeo.com
Thu, 13 Mar 2003 18:11:32 +0100


In article <3E708748.5050107@iuveno.de> you write:
> - Cross-scripting issues:
> 
> I guess that some of those are still in the Zope Management Interface 
> (which is not meant to be used by untrusted users in most cases), but 
> Zope offers a lot of tools to make sure that it is hard to post 
> malicious code in forums, attack Zope via URLs etc.

I've worked had to remove all those in the DTML code. I've not audited
the rest of the python code that generates HTML directly (code that
should be taken out and shot), but I think there are patches for those
in the collector.

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com