On Wed, 2 Feb 2000 agree at carltonfields.com wrote:

> A web site may inadvertently include malicious HTML tags or script in
> a dynamically generated page based on unvalidated input from
> untrustworthy sources. This can be a problem when a web server does
> not adequately ensure that generated pages are properly encoded to
> prevent unintended execution of scripts, and when input is not
> validated to prevent malicious HTML from being presented to the user.
> 
> Advisory may be found at:
> http://www.cert.org/advisories/CA-2000-02.html
> 
> Should we react to this with respect to the Squeak Swiki regarding
> <SCRIPT> tags?

I'm not sure. It's not only script tags. It would prevent swiki authors to
put "active content" into a page. OTOH Swikis are mostly about text and
images.

BTW, the vulnerability occurs in the strangest places - copy this link to
your browser: http://minnow.cc.gatech.edu/<SCRIPT>alert("EVIL")</SCRIPT>
and look at the page source code. Now this one is trivial to fix
(SwikiAdmins: insert "XmlSwikiPage toXml format: ..." into
*/actions/url.*), but still ...

  -Bert-