[Zope-dev] CSRF protection for z3c.form
Raphael Ritz
r.ritz at biologie.hu-berlin.de
Wed Apr 6 15:06:15 EDT 2011
On 4/6/11 7:43 PM, Roger wrote:
[..]
> I think to protect the form is just a part of a concept.
> Another part must be to prevent to inject JavaScript in
> user generated content. If an application allows to post
> JS in a blog post or comment etc. it should be possible to
> use easydmx to read and re-use the secure form token.
> (not approved but should work)
For that reason both CMF as well as Plone "clean"
user input by stripping nasty tags and such - at
least per default.
Raphael
>
> One of my bigger concern is also that such a token will
> break a lot of our tests which whould force us to use
> custom non security token generating form classes.
>
> I'm fine in general for implement such a concept
> in z3c.form but it should be optional.
> Why not offer additional form classes or a mixin
> for support such token?
>
> Regards
> Roger Ineichen
>
>> Laurence
>>
>
> _______________________________________________
> Zope-Dev maillist - Zope-Dev at zope.org
> https://mail.zope.org/mailman/listinfo/zope-dev
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope )
>
More information about the Zope-Dev
mailing list