[Zope] CERT -- Malicious HTML Tags
Graham Chiu
anon_emouse@hotmail.com
Fri, 4 Feb 2000 16:02:22 +1200
In article <3898B607.D7AB34C1@palladion.com>, Tres Seaver
<tseaver@palladion.com> writes
>The key issue lies in embedding <SCRIPT>...</SCRIPT> chunks (or their immoral
>equivalents, <OBJECT>, <EMBED>, and <APPLET>). Consider, for instance, those
>nasty pop-up windows launched by some "free" webspace providers; then consider
>what happens in Squishdot, ZGotW, or any other site which permits users to
>enter
>arbitrary HTML as part of the feedback/collaboration process. Not a pretty
Squishdot says this at the bottom of it's post article page:
Allowed HTML
<B> <I> <P> <A> <LI> <OL> <UL> <EM> <BR> <TT> <HR> <STRONG> <BLOCKQUOTE>
<DIV .*> <DIV> <P .*>
I must check on what Zwiki does ...
-------
Regards, Graham Chiu
gchiu<at>compkarori.co.nz
http://www.compkarori.com/dynamo - The Homebuilt Dynamo
http://www.compkarori.com/dbase - The dBase bulletin