[Zope] Security issue with the Guest book example in Zope Book

Joakim Nicander nocke@polarcap.org
Wed, 27 Feb 2002 09:48:44 +0100


Hi,

I'm relatively new to Zope so I hope I haven't missed anything obvious.

I'm building a small project manager for an intranet site. Normally I use
MySQL to store data but this time I store the information in DTML Documents
as the Guest book example. Text in the document and adding properties to the
document.

The information is added to Zope via an input form exactly as in the
example. Then rendering the document with html_qoute so the cant sneak in
html code. But it doesn't stop sneaking in DTML code as I found out when I
tested.

Ok maybe I missed something I thought, so I implemented the guest book from
the Zope book. Still no protection against DTML code.

I can get information form Zope and of course crash the guest book. I can
easily change my project manager to add the text in a property so it wont
render. Other suggestions?

But I don't think an example in the Zope book should have this security
issue.

I hope I missed something.

/Nocke