[Zope-dev] How (in)secure is Zope?
Martijn Pieters
mj@zope.com
Thu, 13 Mar 2003 12:47:51 -0500
On Thu, Mar 13, 2003 at 06:11:32PM +0100, Florent Guillaume wrote:
> In article <3E708748.5050107@iuveno.de> you write:
> > - Cross-scripting issues:
> >
> > I guess that some of those are still in the Zope Management Interface
> > (which is not meant to be used by untrusted users in most cases), but
> > Zope offers a lot of tools to make sure that it is hard to post
> > malicious code in forums, attack Zope via URLs etc.
>
> I've worked had to remove all those in the DTML code. I've not audited
> the rest of the python code that generates HTML directly (code that
> should be taken out and shot), but I think there are patches for those
> in the collector.
And Florent's patches came on top of my DTML pro-active anti-HTML-from-
REQUEST-sourced-data changes that cause all outside strings to be HTML
quoted if they could *possibly* be used to construct HTML tags.
Some of my changes included taking out some of the directly-HTML-generating
python code to be shot without trial.
--
Martijn Pieters
| Software Engineer mailto:mj@zope.com
| Zope Corporation http://www.zope.com/
| Creators of Zope http://www.zope.org/
---------------------------------------------