[Zope-Coders] dtml-var cleanup
Florent Guillaume
fg@nuxeo.com
Wed, 23 Oct 2002 23:15:14 +0000 (UTC)
In efge-death-to-dtml-var-branch, I've tried to removed most <dtml-var>
to replace them with &dtml-foo;.
This corrects a number of potential (and some real) XSS holes. Note that
many harmless <dtml-var foo> or <dtml-var foo html_quote> were converted
too, because keeping them prevents us from doing effective audits.
I'd appreciate it if people eyeballed the diff, or tried to merge that
branch into their sandbox for a while to ensure that no spurious quoting
was introduced.
Here's the script I'm using to grep for the remaining <dtml-var> :
find . -name '*.dtml' | xargs grep '<dtml-var' | sed \
-e 's/<dtml-var name="manage_//' \
-e 's/<dtml-var "manage_//' \
-e 's/<dtml-var manage_//' \
-e 's/<dtml-var standard_//' \
-e 's/<dtml-var next-sequence-//' \
-e 's/<dtml-var previous-sequence-//' \
-e 's/<dtml-var sequence-query//' \
-e 's/<dtml-var [^>]* html_quote>//' \
-e 's/<dtml-var [^>]* fmt="%[^>]*>//' \
-e 's/<dtml-var [^>]* fmt="structured-text">//' \
| grep '<dtml-var' | less
If everything looks ok, I'll merge this into HEAD. I think it warrants
merging into the 2.6 branch too before 2.6.1. I don't know about 2.5
(and the merge would be much more complex).
Florent
(Next step, CMF...)
--
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com