[Zope-Coders] Towards 2.6
Florent Guillaume
fg@nuxeo.com
16 Oct 2002 23:57:20 +0200
Hmm I had that discussion before somewhere.
It a user is able to create content and specificy a title, and that
later some view does <dtml-var title> then you're hosed, tainted strings
or not.
Florent
On Wed, 2002-10-16 at 23:18, Brian Lloyd wrote:
> > Oh I'm not concerned with me or my clients, I'm concerned about all the
> > users wanting to upgrade to 2.6. Localizer still has to monkey patch the
> > ZPT StringIO because it won't work for lots of people otherwise. It's a
> > pity.
> >
> > I don't like the state of all the XSS holes either.
>
> Note that they will not be holes in 2.6 due to the string
> tainting changes being activated by default.
--
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com