[Zope-dev] Re: 2.7 management_page_charset cannot be callable
Tres Seaver
tseaver at zope.com
Thu Jan 15 18:31:06 EST 2004
Alan Milligan wrote:
> In addition to this problem, someone has changed manage_form_title.dtml
> and caused me grief!
>
> The <dtml-var title> tag has been changed to <&dtml-title;>
>
> This causes an implicit html-quote to now be performed which means that
> my <img> tag, inserted to display the product's icon to more strongly
> associate what is being created, now just writes the html into the title
> line.
>
> Since nothing was broken in the first place, how about backing out this
> change.
That change is one of a number which are designed to prevent cross-site
scripting attacks; DTML is particularly vulnerable to such cracks, as
it doesn't force the template writer to choose the source from which the
name will be bound.
Your scenario is actually quite close to the posited attack: imagine
that user 'black_hat' inserts a document whose title has nasty
javascript in an 'onload' attribute of a tag; such javascript can be
used, for instance, to steal cookies, to post to 'manage_shutdown', etc.
Tres.
--
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope-Dev
mailing list