[Zope] Re: [Zope-dev] New: Cross Site Scripting vulnerability
Oliver Bleutgen
Oliver Bleutgen <myzope@gmx.net>
Tue, 25 Sep 2001 20:22:02 +0200
> [Bill Anderson]
>> > umm chris,
>> >
>> > you're right, but this example
>> >
>> >
> http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>
>> >
>> > executes the script. I don't exactly see why/where but I feel
>>
>> Perhaps it is a browser thing? It isn't being executed by Galeon.
>>
>>
>> Bill
>>
> Pasting that URL into IE and Netscape 4.73 in Win2000 didn't execute it
> either.
> Tom P
This is not too suprising, as the code on zope.org was
apparently changed not to display alternative links to
classic.zope.org:8080/<remainder of url> anymore.
At the time the first mail was posted it did, and IE
(5.0.whatever) thought it was a good idea to execute
that javascipt - don't know if rightly or not.
But it really never was a zope problem, for all I can see.
cheers,
oliver