[ZPT] Re: [Zope] prevent quoting in tal:attributes

Jamie Heilman jamie at audible.transient.net
Thu Oct 2 04:43:58 EDT 2003


Dieter Maurer wrote:
> I am not sure whether there is a security risk (similar to the one
> given by not quoting HTML fragments). In principle, an entity
> reference can expand to anything (defined in the document type).

...and therein lies the rub.  Uncertainty in the face of security is
reason enough to unconditionally quote attribute values in my mind.
At any rate, I hope the following example will sufficiently illustrate
why Evan's latest changes are unacceptable.

<pre tal:content="request/form/items"></pre>
<form method="GET">
X:<input type="text" name="X" tal:attributes="value request/X|nothing" />
  <input type="submit" value="Submit" />
</form>
<p>Type <tt>X&amp;amp;Y</tt> into the field and press <i>Submit</i>
twice.  Pay attention to the reported value of X, it <b>should not</b>
change.</p>


-- 
Jamie Heilman                     http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
 next to you may not be who they appear to be, so take precaution."
						-Sathington Willoughby



More information about the ZPT mailing list