[Zope] Zope inserting base tag
Jamie Heilman
jamie@audible.transient.net
Thu, 27 Feb 2003 13:39:51 -0800
Dylan Reinhardt wrote:
> By "proper contextual escaping" do you mean automatic HTML quoting? Last I
Yes, in this case, the context is an attribute, thus the data type of
that attribute (<!ENTITY % URI "CDATA"> in this case) is the context.
Pragmatically this is the same as HTML quoting. (Thats not always the
case unfortunately.) This is one reason why ZPT is so great, it
encourages best practices wrt contextual interpolation.
> is great for echoing back client input safely, but it's hard to see the
> urgency in this case.
Not hard enough I'm afraid. Cache poisoning is a big problem with
Zope. It can run the gamut from annoyingly broken pages, to
defacement, to, in several instances, cross site scripting. I've
filed a bug related to this, I've asked for it to be made public, but
to date it hasn't been.
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they appear to be, so take precaution."
-Sathington Willoughby