Submitted by : simon at: 2003-10-26T21:32:35+00:00 (14 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :

ZWiki allows users to write <iframe> tag. This will cause security problem.

<!-- test: --> &lt;disabled iframe&gt;

(new) --PieterB, 2003/08/26 reply

> ZWiki allows users to write &lt;iframe> tag. This will cause security > problem.

I think zwiki is vulnerable for all XSS (cross server scripting) attacks. The easiest solution is to integrate StripOGram? support in Zwiki, see http://www.zope.org/Members/chrisw/StripOGram

Unfortunately, I don't have time to implement it right now.

Pieter

fixed for 0.23 --simon, Thu, 25 Sep 2003 20:37:38 -0700 reply

I don't know what iframe does, but I've just added it to the javascriptexpr for now. Thanks.

property change --simon, Thu, 25 Sep 2003 20:38:07 -0700 reply

Status: open => closed