[Zope-Coders] dtml-var cleanup
Shane Hathaway
shane@zope.com
Thu, 24 Oct 2002 01:36:08 -0400
Florent Guillaume wrote:
> In efge-death-to-dtml-var-branch, I've tried to removed most <dtml-var>
> to replace them with &dtml-foo;.
>
> This corrects a number of potential (and some real) XSS holes. Note that
> many harmless <dtml-var foo> or <dtml-var foo html_quote> were converted
> too, because keeping them prevents us from doing effective audits.
>
> I'd appreciate it if people eyeballed the diff, or tried to merge that
> branch into their sandbox for a while to ensure that no spurious quoting
> was introduced.
Good work. This must have been hard. :-) I looked at the diffs for a
few dozen files and I couldn't see any mistakes. However...
> If everything looks ok, I'll merge this into HEAD. I think it warrants
> merging into the 2.6 branch too before 2.6.1. I don't know about 2.5
> (and the merge would be much more complex).
I'd like to see this in Zope 2.7, but putting it in Zope 2.6.x would
cause pain. No one can be sure you converted every tag perfectly. We
need a release we can depend on. Most of the work of fixing potential
XSS holes was already done previously (by Martijn, I think), and even
then it was mostly paranoia. :-) If you have specific cases that really
can be exploited, then we should consider merging only those specific
fixes into Zope 2.6.
Shane