[Zope] Re: [Zope-dev] New: Cross Site Scripting vulnerability

Bill Anderson bill@immosys.com
25 Sep 2001 11:57:04 -0600


On Sun, 2001-09-23 at 15:17, Oliver Bleutgen wrote:
> >>         Hello message board. This is a message.
> >>                <SCRIPT>malicious code</SCRIPT>
> >>         This is the end of my message.
> 
> > I don't really see your point other than a carelessly implemented app may
> > expose these kind of vulnerabilities. Python (and hence Zope) has a
> > library
> > for stripping out this sort of malicious HTML.
> 
> > Search for Strip-o-Gram or Squishdot on Zope.org for examples of how this
> > can be used.
> 
> umm chris,
> 
> you're right, but this example
> 
> http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>
> 
> executes the script. I don't exactly see why/where but I feel 

Perhaps it is a browser thing? It isn't being executed by Galeon.


Bill