[Zope] Strip all HTML
Alex Coventry
throwaway@MIT.EDU
Tue Aug 5 16:57:18 EDT 2003
It seems as if letting things like <scRipt> through makes the whole
exercise pointless. Surely people who play these games think of things
like that. You might consider using one of the existing HTML strippers
out there, like stripogram (available in the squishdot distribution) or
SafeHTML. Unfortunately, neither of them deals correctly with this
example:
<A HREF="http://example.com/comment.cgi? mycomment=<SCRIPT>malicious code</SCRIPT>">malicious code"> Click here</A>
which is mentioned in the CERT advisory at
http://www.cert.org/advisories/CA-2000-02.html
HTH.
Alex.
More information about the Zope
mailing list