[ZPT] Re: [Zope] prevent quoting in tal:attributes
Jamie Heilman
jamie at audible.transient.net
Thu Oct 2 04:43:58 EDT 2003
Dieter Maurer wrote:
> I am not sure whether there is a security risk (similar to the one
> given by not quoting HTML fragments). In principle, an entity
> reference can expand to anything (defined in the document type).
...and therein lies the rub. Uncertainty in the face of security is
reason enough to unconditionally quote attribute values in my mind.
At any rate, I hope the following example will sufficiently illustrate
why Evan's latest changes are unacceptable.
<pre tal:content="request/form/items"></pre>
<form method="GET">
X:<input type="text" name="X" tal:attributes="value request/X|nothing" />
<input type="submit" value="Submit" />
</form>
<p>Type <tt>X&amp;Y</tt> into the field and press <i>Submit</i>
twice. Pay attention to the reported value of X, it <b>should not</b>
change.</p>
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they appear to be, so take precaution."
-Sathington Willoughby
More information about the ZPT
mailing list