[Zope-dev] DTML and REQUEST data changes about to be checked in

[Florent Guillaume]

The way I see it is this:

ZPT has (amongst others) the very nice property that it's trivial to
audit ZPT pages for non-quoted string output: just grep for 'structure'.

OTOH in DTML there's no way to do that, the default is unquoted output.
&dtml-stuff; is a good step, but there's way too much code out there
that doesn't take proper security precautions and is vulnerable to
cross-site scripting attacks. The fact that namespaces are implicit and
make it possible to get stuff from where we don't expect them doesn't
help.

We should always keep in mind the security debacle that PHP has become,
because it didn't take proper precautions for quoting (reports on
Bugtraq of XSS attacks in some PHP application practically every week).
There's magic_quotes_gpc or magic_quotes_runtime that automatically
quotes their equivalent of REQUEST or even any output from outside
applications, but it's a PITA because it does too much and is often
inconvenient, so a lot of users turn it off or forget to turn it on. And
it's too much magic.


The solution Martijn implemented has a number of nice properties, for
instance protecting those that do <dtml-var foo>, and will only leave
open the applications that really didn't take the most basic security
precautions (unfortunately I'm sure there are some out there, doing
stuff like <a href="<dtml-var "REQUEST.foo">"><dtml-var
"REQUEST.footitle"></a>).


So in a code audit all <dtml-var [expr=]"xxx"> should be suspect, and
&dtml-.xxx; too.

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com