[Zope] CERT -- Malicious HTML Tags
Tres Seaver
tseaver@palladion.com
Wed, 02 Feb 2000 16:56:07 -0600
CERT has released a fairly dire advisory on the dangers of dynamic page
generation when coupled with untrusted content submission:
http://www.cert.org/advisories/CA-2000-02.html
Anyone care to comment on Zope's vunlerability here? For instance, the ZGotW
site allows submissions in structured text, plain text, and HTML -- but now I am
probably going to htmlquote() the last, which kills a lot of the point of it,
no?
The key issue lies in embedding <SCRIPT>...</SCRIPT> chunks (or their immoral
equivalents, <OBJECT>, <EMBED>, and <APPLET>). Consider, for instance, those
nasty pop-up windows launched by some "free" webspace providers; then consider
what happens in Squishdot, ZGotW, or any other site which permits users to enter
arbitrary HTML as part of the feedback/collaboration process. Not a pretty
scene!
Tres.
--
=========================================================
Tres Seaver tseaver@palladion.com 713-523-6582
Palladion Software http://www.palladion.com