[Zope] Re: [Zope-dev] New: Cross Site Scripting vulnerability

Oliver Bleutgen Oliver Bleutgen <myzope@gmx.net>
Tue, 25 Sep 2001 20:22:02 +0200


> [Bill Anderson]

>> > umm chris,
>> >
>> > you're right, but this example
>> >
>> >
> http://www.zope.org/Documentation/<SCRIPT>alert(document.domain)</SCRIPT>
>> >
>> > executes the script. I don't exactly see why/where but I feel
>>
>> Perhaps it is a browser thing? It isn't being executed by Galeon.
>>
>>
>> Bill
>>

> Pasting that URL into IE and Netscape 4.73 in Win2000 didn't execute it
> either.

> Tom P


This is not too suprising, as the code on zope.org was
apparently changed not to display alternative links to 
classic.zope.org:8080/<remainder of url> anymore. 
At the time the first mail was posted it did, and IE 
(5.0.whatever) thought it was a good idea to execute 
that javascipt - don't know if rightly or not.

But it really never was a zope problem, for all I can see.


cheers,
oliver