[Zope] CERT -- Malicious HTML Tags

Tres Seaver tseaver@palladion.com
Wed, 02 Feb 2000 16:56:07 -0600


CERT has released a fairly dire advisory on the dangers of dynamic page
generation when coupled with untrusted content submission:

 http://www.cert.org/advisories/CA-2000-02.html

Anyone care to comment on Zope's vunlerability here?  For instance, the ZGotW
site allows submissions in structured text, plain text, and HTML -- but now I am
probably going to htmlquote() the last, which kills a lot of the point of it,
no?

The key issue lies in embedding <SCRIPT>...</SCRIPT> chunks (or their immoral
equivalents, <OBJECT>, <EMBED>, and <APPLET>).  Consider, for instance, those
nasty pop-up windows launched by some "free" webspace providers;  then consider
what happens in Squishdot, ZGotW, or any other site which permits users to enter
arbitrary HTML as part of the feedback/collaboration process.  Not a pretty
scene!

Tres.
-- 
=========================================================
Tres Seaver         tseaver@palladion.com    713-523-6582
Palladion Software  http://www.palladion.com