[Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

Martijn Pieters mj@zope.com
Mon, 12 Aug 2002 10:57:38 -0400


On Mon, Aug 12, 2002 at 03:51:24PM +0100, Toby Dickenson wrote:
> On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:
> 
> > Whithout the fix, virtually every Zope site in the world is vulnerable
> > to URL-based cross-site scripting exploits.  For instance, any URL which
> > contains invalid form variable marshalling can generate an error page
> > which includes the erroneous value, unquoted.  E.g.:
> >
> > <URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer
> >t('Owned')%3C/script%3E>
> 
> Do you plan to fix this bug?
> 
> Or, with the autoquoting changes, is this to be reclassified as 'not a bug'?

Together with the autoquoting changes, I tightened Exception messages; data
from REQUEST is quoted where I could reasonably suspect REQUEST data was
used.

-- 
Martijn Pieters
| Software Engineer  mailto:mj@zope.com
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------