error_message & SimpleItem.raise_standardErrorMessage facilitate cross site scripting

Problem summary:
1) error_value is promoted to error_message if it appears to contain markup in SimpleItem.raise_standardErrorMessage().
2) The default standard_error_message method presents error_message without escaping HTML special characters.
3) error_value can be goaded into containing markup chosen by a remote client

Problem History:
The promotion of a tainted error_value was uncovered in http://exploitlabs.com/files/advisories/EXPL-A-2003-009-zope.txt
(vulnerability 3a) though it wasn't identified as such.

Test Cases:
Make a Script (Python) object named 'intpromo' containing:
## Script (Python) "intpromo"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=i
##title=
##
return int(i)

Now request it, http://zope.example.com/intpromo?i=<b>ad+news

Workaround:
Either use html quoting with error_message in the standard_error_message (ie. &dtml-error_message;) or remove error_message rendering entirely.

Suggested Long-term Fix:
Remove error_value promotion from raise_standardErrorMessage and all Zope code which attempts to create error_values containing markup (ie. ZPublisher.HTTPResponse._error_html).

Please mark this bug as publicly visible, Zope administrators need to know how to protect their installations until this issue is addressed by an official release or hotfix.