[Zope-dev] DTML and REQUEST data changes about to be checked in

Toby Dickenson tdickenson@geminidataloggers.com
Fri, 9 Aug 2002 15:43:59 +0100


On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote:
> On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > > The risk for breakage is very small really
> >
> > Your choice of '<' and html_quote suggests that my dtml code which
> > generates javascript and vbscript carries a higher risk than dtml whi=
ch
> > generates html.
>
> Only if you generated that script using data from the REQUEST, implicit=
ly.

Yes

> Which was bad in the first place.

I agree it is true in most cases, but not all. Have you analysed how many=
=20
applications will be broken by this? how they can detect the breakage? I=20
certainly will not have time to assess the implications on my application=
s=20
before the scheduled release of 2.6.

> > >, and breakage
> > > will generally only occur when someone is trying to exploit the
> > > weakness, not in normal operation of the site.
> >
> > The fact that your change uses html_quote to 'fix' the problem rather
> > than sounding 'hacker alert' alarm bells suggests to me that you dont
> > really believe that ;-)
>
> Again, the wide scope of DTML use would make such bells warble prematur=
ely
> all too often.

'all too often' also contradicts your statements that this will not happe=
n in=20
normal operation of the site, and that the risk of breakage is 'very smal=
l'.


Like I said before, this is probably a good feature. If it was available =
as a=20
patch then I would probably use it on a number of my sites, and would=20
recommend it to others. I would be very happy see it (or something like i=
t)=20
in 2.7.

But not 2.6.