How about cleaning the message before saving as a coockie? Would adding something like message = portal_transforms.convertTo('text/x-html-safe', self.message, mimetype='text/-x-web-intelligent') to Products.statusmessages.message.Message.encode be ok?
Philip Am 23.08.2012 um 18:50 schrieb Matthew Wilkes <m...@matthewwilkes.name>: > > > Philip Bauer wrote: >> I changed this by customizing the template. Might there be a better way? Or >> might it be a good idea to change this template by default? > > I would be hesitant to change this by default, as it means that if a > malicious user can get cookies set for another user they can insert arbitrary > HTML. > > Matt _______________________________________________ Product-Developers mailing list product-develop...@lists.plone.org https://lists.plone.org/mailman/listinfo/plone-product-developers