[Zope-Checkins] CVS: Zope/lib/python/OFS/dtml - documentEdit.dtml:1.8.22.1 editedDialog.dtml:1.2.218.1 fileEdit.dtml:1.7.64.1 imageView.dtml:1.2.218.1

Florent Guillaume fg@nuxeo.com
Sun, 22 Dec 2002 11:16:46 -0500


Update of /cvs-repository/Zope/lib/python/OFS/dtml
In directory cvs.zope.org:/tmp/cvs-serv2325/lib/python/OFS/dtml

Modified Files:
      Tag: Zope-2_6-branch
	documentEdit.dtml editedDialog.dtml fileEdit.dtml 
	imageView.dtml 
Log Message:
Fixed insufficient quoting in a number of DTML files when displaying
the title. This closes some actual and potential XSS holes. (Collector #595)


=== Zope/lib/python/OFS/dtml/documentEdit.dtml 1.8 => 1.8.22.1 ===
--- Zope/lib/python/OFS/dtml/documentEdit.dtml:1.8	Fri Apr 12 16:19:02 2002
+++ Zope/lib/python/OFS/dtml/documentEdit.dtml	Sun Dec 22 11:16:15 2002
@@ -28,11 +28,11 @@
   <dtml-let cols="REQUEST.get('dtpref_cols', '100%')">
     <dtml-if expr="cols[-1]=='%'">
       <textarea name="data:text" wrap="off" style="width:&dtml-cols;"
-                rows="<dtml-var dtpref_rows missing="20">"
+                rows="<dtml-var dtpref_rows missing="20" html_quote>"
       ><dtml-var __str__></textarea>
     <dtml-else>
       <textarea name="data:text" wrap="off" cols="&dtml-cols;"
-                rows="<dtml-var dtpref_rows missing="20">"
+                rows="<dtml-var dtpref_rows missing="20" html_quote>"
       ><dtml-var __str__></textarea>      
     </dtml-if>
   </dtml-let>


=== Zope/lib/python/OFS/dtml/editedDialog.dtml 1.2 => 1.2.218.1 ===
--- Zope/lib/python/OFS/dtml/editedDialog.dtml:1.2	Mon Jan  8 17:46:59 2001
+++ Zope/lib/python/OFS/dtml/editedDialog.dtml	Sun Dec 22 11:16:15 2002
@@ -13,7 +13,7 @@
   <div class="std-text">
   <BR><BR>
   <CENTER>
-  <dtml-var title_and_id> has been successfully edited.
+  &dtml-title_and_id; has been successfully edited.
   </CENTER>
   </div>
   </TD>


=== Zope/lib/python/OFS/dtml/fileEdit.dtml 1.7 => 1.7.64.1 ===
--- Zope/lib/python/OFS/dtml/fileEdit.dtml:1.7	Thu Jan 24 16:19:57 2002
+++ Zope/lib/python/OFS/dtml/fileEdit.dtml	Sun Dec 22 11:16:15 2002
@@ -53,9 +53,9 @@
   <td align="left" valign="top" colspan="2">
   <div style="width: 100%;">
   <textarea name="filedata:text" wrap="off" style="width: 100%;"<dtml-if 
-   dtpref_cols> cols="<dtml-var dtpref_cols>"<dtml-else
+   dtpref_cols> cols="<dtml-var dtpref_cols html_quote>"<dtml-else
    > cols="50"</dtml-if><dtml-if dtpref_rows> rows="<dtml-var 
-   dtpref_rows>"<dtml-else> rows="20"</dtml-if>><dtml-var 
+   dtpref_rows html_quote>"<dtml-else> rows="20"</dtml-if>><dtml-var 
    __str__ html_quote></textarea>
   </div>
   </td>


=== Zope/lib/python/OFS/dtml/imageView.dtml 1.2 => 1.2.218.1 ===
--- Zope/lib/python/OFS/dtml/imageView.dtml:1.2	Mon Jan  8 17:46:59 2001
+++ Zope/lib/python/OFS/dtml/imageView.dtml	Sun Dec 22 11:16:15 2002
@@ -5,7 +5,7 @@
 <img src="<dtml-var absolute_url>" <dtml-if 
  width>width="<dtml-var width>" </dtml-if><dtml-if 
  height>height="<dtml-var height>" </dtml-if
- > alt="<dtml-var title_or_id>" />
+ > alt="&dtml-title_or_id;" />
 </p>
 
 <dtml-var manage_page_footer>