[Zope-dev] raise_standardErrorMessage facilitates cross site scripting

Jamie Heilman jamie@audible.transient.net
Fri, 27 Jun 2003 04:43:43 -0700


Jamie Heilman wrote:
> I have a feeling its atributable to either
> raise_standardErrorMessage's "smart" tag searching, or some other
> auto-magical aspect of the error handling framework.

I finally got around to testing this hypothesis, and it seems to be
true.  raise_standardErrorMessage assumes anything stringish matching
[a-zA-Z]> is markup and subsequently sets error_message, which
normally isn't quoted.  The problem is, while it may very well be
markup there's no reason to trust it, as was shown with the case when
int() is passed '<b>old', the error message may contain markup
obtained from an untrusted source.

So the question is, how much pain would it cause if there was mandate
that error messages could not contain markup, and the behavior was
changed so that error_message was always quoted, but assumed to be
pre-formatted plain text?

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
 next to you may not be who they appear to be, so take precaution."
						-Sathington Willoughby