[Zope] Zope inserting base tag
Dylan Reinhardt
zope@dylanreinhardt.com
Thu, 27 Feb 2003 15:08:23 -0800
At 01:39 PM 2/27/2003, Jamie Heilman wrote:
>Pragmatically this is the same as HTML quoting. (Thats not always the
>case unfortunately.)
Could you offer an example where &dtml-some_var; returns something
different from <dtml-var some_var html_quote>?
>Cache poisoning is a big problem with Zope.
I read your post on VHM exploits a couple weeks ago. Is this the scope of
the problem? Is the problem solved by using a proxy cache to drop any
requests that contain the magic VHM-related strings? Or does it go deeper?
Also, how does using &dtml-URL1; do anything to guard against this? Won't
URL1 resolve to what follows VirtualHostBase in either syntax? Limited
testing suggests that this is the case... but maybe I'm not being clever
enough?
I've got a HOWTO that includes information on virtual hosting... I'll be
sure to add this information and any other advice or insight you're able to
offer.
Thanks,
Dylan