Plone Hotfix 2010-06-12
***********************

The fix
=======

This hotfix causes the safe_html transform to be executed twice to close the
attack vector described in CVE-2010-2422 which allows injection of arbitrary
HTML that should normally be filtered. This implementation adds a small
performance penalty to the calculation of the safe_html transform, which
occurs on the first viewing of an object after creation, editing, or a server
restart.

To exploit this flaw untrusted users must be able to author content on a
website.  Thanks go to Alan Hoey for reporting this flaw.

Installation for Plone 2.1 - 3.1 users
--------------------------------------

To install this hotfix add the directory PloneHotfix20100612 to your instance
products directory. If the hotfix has been successfully added you will see the
following message when starting the instance in foreground mode:

2010-06-12 23:54:28 INFO PloneHotfix20100612 safe_html patched

Installation for Plone 3.2 and 3.3 users
----------------------------------------

Although this hotfix will work with any version of Plone, users of Plone 3.2
to Plone 3.3.5 should instead add the following to their buildout
configuration files and re-run buildout:

[versions]
Products.PortalTransforms = 1.6.12

There will be no confirmation message on start-up, so the presence of the fix
can be verified by checking the version number of PortalTransforms in the Zope
Control Panel.

Users of Plone 3.3.6 and above are unaffected.

Information for Plone 4 users
-----------------------------

No stable versions of Plone 4 are affected by this bug. Plone beta testers are
reminded that beta versions are not intended for use on production sites.

Changelog
=========

20100612-1
----------

* Update readme with CVE number
  [MatthewWilkes]

20100612-0
----------

* Initial implementation
  [MatthewWilkes]