[Zope-Coders] Towards 2.6

[Florent Guillaume]

Hmm I had that discussion before somewhere.

It a user is able to create content and specificy a title, and that
later some view does <dtml-var title> then you're hosed, tainted strings
or not.

Florent

On Wed, 2002-10-16 at 23:18, Brian Lloyd wrote:
> > Oh I'm not concerned with me or my clients, I'm concerned about all the
> > users wanting to upgrade to 2.6. Localizer still has to monkey patch the
> > ZPT StringIO because it won't work for lots of people otherwise. It's a
> > pity.
> > 
> > I don't like the state of all the XSS holes either.
> 
> Note that they will not be holes in 2.6 due to the string 
> tainting changes being activated by default.

-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com