[Zope-Checkins] CVS: Zope/lib/python/Products/OFSP/dtml - draftAdd.dtml:1.2.212.1 draftApprove.dtml:1.2.212.1 version.dtml:1.2.212.1

Florent Guillaume fg@nuxeo.com
Sun, 22 Dec 2002 11:16:47 -0500 

Update of /cvs-repository/Zope/lib/python/Products/OFSP/dtml
In directory cvs.zope.org:/tmp/cvs-serv2325/lib/python/Products/OFSP/dtml

Modified Files:
      Tag: Zope-2_6-branch
	draftAdd.dtml draftApprove.dtml version.dtml 
Log Message:
Fixed insufficient quoting in a number of DTML files when displaying
the title. This closes some actual and potential XSS holes. (Collector #595)


=== Zope/lib/python/Products/OFSP/dtml/draftAdd.dtml 1.2 => 1.2.212.1 ===
--- Zope/lib/python/Products/OFSP/dtml/draftAdd.dtml:1.2	Mon Jan  8 17:47:02 2001
+++ Zope/lib/python/Products/OFSP/dtml/draftAdd.dtml	Sun Dec 22 11:16:16 2002
@@ -35,7 +35,7 @@
     <dtml-unless "meta_type in ('Version', 'Principia Draft', 'User Folder')">
       <option value="<dtml-var id html_quote>">
       <dtml-if title>
-	<dtml-var title size="25"> (<dtml-var id>)
+	<dtml-var title size="25" html_quote> (<dtml-var id>)
       <dtml-else>
 	<dtml-var id>
       </dtml-if>


=== Zope/lib/python/Products/OFSP/dtml/draftApprove.dtml 1.2 => 1.2.212.1 ===
--- Zope/lib/python/Products/OFSP/dtml/draftApprove.dtml:1.2	Mon Jan  8 17:47:02 2001
+++ Zope/lib/python/Products/OFSP/dtml/draftApprove.dtml	Sun Dec 22 11:16:16 2002
@@ -6,7 +6,7 @@
 <h3>Approve</h3>
 
 <p class="form-text">
-You can make work done in <dtml-var id> (<dtml-var title>) permanent by 
+You can make work done in <dtml-var id> (&dtml-title;) permanent by 
 entering a remark in the space below and then clicking on the <em>approve</em> 
 button.
 <br />
@@ -19,7 +19,7 @@
 <h3>Discard</h3>
   
 <p class="form-text">
-You can throw away work done in <dtml-var id> (<dtml-var title>) by 
+You can throw away work done in <dtml-var id> (&dtml-title;) by 
 clicking on the <em>discard</em> button.
 <br />
 <input type=submit value="Discard">


=== Zope/lib/python/Products/OFSP/dtml/version.dtml 1.2 => 1.2.212.1 ===
--- Zope/lib/python/Products/OFSP/dtml/version.dtml:1.2	Mon Jan  8 17:47:02 2001
+++ Zope/lib/python/Products/OFSP/dtml/version.dtml	Sun Dec 22 11:16:16 2002
@@ -41,7 +41,7 @@
 
   <p class="form-text">
   You <strong>are not</strong> currently working in the
-  <dtml-var title_and_id>
+  &dtml-title_and_id;
   version.
   </p>