[Zope-Checkins] CVS: Zope/lib/python/Products/PluginIndexes/common - UnIndex.py:1.7.12.2

Martijn Pieters mj@zope.com
Thu, 1 Aug 2002 12:01:29 -0400


Update of /cvs-repository/Zope/lib/python/Products/PluginIndexes/common
In directory cvs.zope.org:/tmp/cvs-serv9310/lib/python/Products/PluginIndexes/common

Modified Files:
      Tag: Zope-2_5-branch
	UnIndex.py 
Log Message:
Big change, merge from trunk.

- Make DTML automatically html quote data indirectly taken from REQUEST
  which contain a '<'. Make sure (almost) all string operation preserve the
  taint on this data.

- Fix exceptions that use REQUEST data; quote the data.

- Don't let form and cookie values mask the REQUEST computed values such as
  URL0 and BASE1.


=== Zope/lib/python/Products/PluginIndexes/common/UnIndex.py 1.7.12.1 => 1.7.12.2 ===
 
 from Products.PluginIndexes.common.util import parseIndexRequest
 import sys
+from cgi import escape
 
 _marker = []
 
@@ -316,7 +317,7 @@
         # experimental code for specifing the operator
         operator = record.get('operator',self.useOperator)
         if not operator in self.operators :
-           raise RuntimeError,"operator not valid: %s" % operator
+           raise RuntimeError,"operator not valid: %s" % escape(operator)
 
         # depending on the operator we use intersection or union
         if operator=="or":  set_func = union