[Zope-dev] DTML and REQUEST data changes about to be checked in

Martijn Pieters mj@zope.com
Fri, 9 Aug 2002 10:12:34 -0400


On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > The risk for breakage is very small really
> 
> Your choice of '<' and html_quote suggests that my dtml code which generates 
> javascript and vbscript carries a higher risk than dtml which generates html.

Only if you generated that script using data from the REQUEST, implicitly.
Which was bad in the first place.

> >, and breakage
> > will generally only occur when someone is trying to exploit the weakness,
> > not in normal operation of the site.
> 
> The fact that your change uses html_quote to 'fix' the problem rather than 
> sounding 'hacker alert' alarm bells suggests to me that you dont really 
> believe that ;-)

Again, the wide scope of DTML use would make such bells warble prematurely
all too often. The normal, recommended fix for the general weakness is to
always use HTML quote.

-- 
Martijn Pieters
| Software Engineer  mailto:mj@zope.com
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------