[ZPT] Re: [Zope-Annce] TAL Hotfix 2004-07-14 for Zope 2.7.0, 2.7.1
Dieter Maurer
dieter at handshake.de
Fri Jul 16 14:53:30 EDT 2004
Chris Withers wrote at 2004-7-16 08:38 +0100:
>Fred Drake wrote:
>
>> This hotfix product fixes a security bug in Page Templates. This fix
>> ensures that values substituted in named slots in translated elements
>> are properly encoded. If encoding is not desired and the source of
>> the replacement text is trusted, the "structure" modifier can be used
>> with the tal:content or tal:replace attribute to explicitly disable
>> encoding.
>
>"Hotfix" implies a security issue. Can you explain what that issue is?
I read it above: the interpolated translation has not been
HTML/XML quoted. "Interpolated translation" means "values substituted
in slots of translated elements" (whatever that may be in detail).
I do not think that this is highly critical (as translations are
usually only provided by trusted sources). But, at least,
it is not bad to HTML/XML quote by default.
--
Dieter
More information about the ZPT
mailing list