[Zope-Checkins] CVS: Zope/lib/python/Products/ZCatalog/dtml - addIndexForm.dtml:1.3 catalogAddRowForm.dtml:1.3 catalogAdvanced.dtml:1.4 catalogFind.dtml:1.4 catalogIndexes.dtml:1.8 catalogObjectInformation.dtml:1.5 catalogSchema.dtml:1.4 catalogStatus.dtml:1.3 catalogView.dtml:1.8 editCatalogerForm.dtml:1.3 manage_vocab.dtml:1.4 vocab_manage_main.dtml:1.3

Florent Guillaume fg@nuxeo.com
Sun, 22 Dec 2002 12:54:38 -0500


Update of /cvs-repository/Zope/lib/python/Products/ZCatalog/dtml
In directory cvs.zope.org:/tmp/cvs-serv14380/lib/python/Products/ZCatalog/dtml

Modified Files:
	addIndexForm.dtml catalogAddRowForm.dtml catalogAdvanced.dtml 
	catalogFind.dtml catalogIndexes.dtml 
	catalogObjectInformation.dtml catalogSchema.dtml 
	catalogStatus.dtml catalogView.dtml editCatalogerForm.dtml 
	manage_vocab.dtml vocab_manage_main.dtml 
Log Message:
Merged efge-death-to-dtml-var-branch into HEAD:

Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.


=== Zope/lib/python/Products/ZCatalog/dtml/addIndexForm.dtml 1.2 => 1.3 ===
--- Zope/lib/python/Products/ZCatalog/dtml/addIndexForm.dtml:1.2	Wed May 30 11:57:37 2001
+++ Zope/lib/python/Products/ZCatalog/dtml/addIndexForm.dtml	Sun Dec 22 12:54:07 2002
@@ -11,7 +11,7 @@
 </p>
 
 <form action="manage_addIndex" method="post">
-<input type=hidden name="type" value="<dtml-var index_type>">
+<input type=hidden name="type" value="&dtml-index_type;">
 
 <table cellspacing="0" cellpadding="2" border="0">
   <tr>


=== Zope/lib/python/Products/ZCatalog/dtml/catalogAddRowForm.dtml 1.2 => 1.3 ===
--- Zope/lib/python/Products/ZCatalog/dtml/catalogAddRowForm.dtml:1.2	Mon Jan  8 17:47:03 2001
+++ Zope/lib/python/Products/ZCatalog/dtml/catalogAddRowForm.dtml	Sun Dec 22 12:54:07 2002
@@ -1,7 +1,7 @@
 <dtml-var manage_page_header>
 <dtml-var manage_tabs>
 
-<form action="<dtml-var URL1>">
+<form action="&dtml-URL1;">
 
 
 


=== Zope/lib/python/Products/ZCatalog/dtml/catalogAdvanced.dtml 1.3 => 1.4 ===
--- Zope/lib/python/Products/ZCatalog/dtml/catalogAdvanced.dtml:1.3	Fri Jan 26 14:00:13 2001
+++ Zope/lib/python/Products/ZCatalog/dtml/catalogAdvanced.dtml	Sun Dec 22 12:54:07 2002
@@ -18,7 +18,7 @@
   </p>
   </td>
   <td align="right" valign="top">
-<form action="<dtml-var URL1>">
+<form action="&dtml-URL1;">
 <input class="form-element" type="submit" 
  name="manage_catalogReindex:method" value=" Update Catalog ">
 </form>
@@ -30,7 +30,7 @@
   </p>
   </td>
   <td align="right" valign="top">
-<form action="<dtml-var URL1>">
+<form action="&dtml-URL1;">
 <input class="form-element" type="submit" 
  name="manage_catalogClear:method" value=" Clear Catalog ">
 </form>
@@ -80,7 +80,7 @@
       </dtml-if></p>
   </td>
   <td align="right" valign="top">
-    <form action="<dtml-var URL1>" method="POST">
+    <form action="&dtml-URL1;" method="POST">
     <div class="form-element">
       <dtml-if threshold>
 	<input class="form-element" type="submit" 
@@ -109,8 +109,7 @@
   <td align="right" valign="top">
     <form action="manage_edit" method=POST>
      <div class="form-element">
-      <input name="threshold:int" value="<dtml-var
-      threshold html_quote>" />
+      <input name="threshold:int" value="&dtml-threshold;" />
       <input type="submit" name="submit" value="Set Threshold">
       </div>
     </form>


=== Zope/lib/python/Products/ZCatalog/dtml/catalogFind.dtml 1.3 => 1.4 ===
--- Zope/lib/python/Products/ZCatalog/dtml/catalogFind.dtml:1.3	Mon Jan 15 17:15:17 2001
+++ Zope/lib/python/Products/ZCatalog/dtml/catalogFind.dtml	Sun Dec 22 12:54:07 2002
@@ -19,7 +19,7 @@
   <SELECT NAME="obj_metatypes:list" SIZE="4" MULTIPLE>
   <OPTION VALUE="all" SELECTED> All types
 <dtml-in all_meta_types mapping>
-  <OPTION VALUE="<dtml-var name html_quote>"> <dtml-var name>
+  <OPTION VALUE="&dtml-name;"> &dtml-name;
 </dtml-in>
   </SELECT>
   </div>
@@ -85,7 +85,7 @@
   <div class="form-element">
   <SELECT NAME="obj_roles:list" SIZE="3" MULTIPLE>
 <dtml-in valid_roles>
-  <OPTION VALUE="<dtml-var sequence-item html_quote>"> <dtml-var sequence-item>
+  <OPTION VALUE="&dtml-sequence-item;"> &dtml-sequence-item;
 </dtml-in>
   </SELECT>
   </div>
@@ -101,7 +101,7 @@
   <div class="form-element">
   <SELECT NAME="obj_permission">
 <dtml-in permission_settings mapping>
-  <OPTION VALUE="<dtml-var name html_quote>"> <dtml-var name>
+  <OPTION VALUE="&dtml-name;"> &dtml-name;
 </dtml-in>
   </SELECT>
   </div>


=== Zope/lib/python/Products/ZCatalog/dtml/catalogIndexes.dtml 1.7 => 1.8 ===
--- Zope/lib/python/Products/ZCatalog/dtml/catalogIndexes.dtml:1.7	Fri Jun 28 13:25:24 2002
+++ Zope/lib/python/Products/ZCatalog/dtml/catalogIndexes.dtml	Sun Dec 22 12:54:07 2002
@@ -142,11 +142,11 @@
     <td>
     <div class="list-item">
       <dtml-if "_.string.find(_.str(_.getattr(this(),'__implements__','old')),'PluggableIndexInterface')>-1">
-        <dtml-var meta_type>
+        &dtml-meta_type;
       <dtml-else>
          <dtml-call "REQUEST.set('oldidx',1)">
          (pre-2.4 index)
-         <dtml-var meta_type>
+         &dtml-meta_type;
       </dtml-if>
     </div>
     </td>


=== Zope/lib/python/Products/ZCatalog/dtml/catalogObjectInformation.dtml 1.4 => 1.5 ===
--- Zope/lib/python/Products/ZCatalog/dtml/catalogObjectInformation.dtml:1.4	Thu Apr  5 12:06:50 2001
+++ Zope/lib/python/Products/ZCatalog/dtml/catalogObjectInformation.dtml	Sun Dec 22 12:54:07 2002
@@ -10,7 +10,7 @@
 <tr class="location-bar">
   <td colspan="2" align="left">
   <div class="std-text">
-  <strong>Catalog record at <dtml-var expr="getpath(_.int(rid))"></strong>
+  <strong>Catalog record at <dtml-var expr="getpath(_.int(rid))" html_quote></strong>
   </div>
   </td>
 </tr>


=== Zope/lib/python/Products/ZCatalog/dtml/catalogSchema.dtml 1.3 => 1.4 ===
--- Zope/lib/python/Products/ZCatalog/dtml/catalogSchema.dtml:1.3	Tue Jun 11 16:20:12 2002
+++ Zope/lib/python/Products/ZCatalog/dtml/catalogSchema.dtml	Sun Dec 22 12:54:07 2002
@@ -22,18 +22,17 @@
 tab).  This way, the summary data may be shown in the search results.
 </p>
 
-<form action="<dtml-var URL1>">
+<form action="&dtml-URL1;">
 
 <table cellspacing="0" cellpadding="2" border="0">
 <dtml-in schema sort=sequence-item>
   <tr>
     <td align="left" valign="top">
-    <input type="checkbox" name="names:list" value="<dtml-var 
-     sequence-item html_quote>" />
+    <input type="checkbox" name="names:list" value="&dtml-sequence-item;" />
     </td>
     <td align="left" valign="top">
     <div class="form-text">
-    <dtml-var sequence-item>
+    &dtml-sequence-item;
     </div>
     </td>
   </tr>


=== Zope/lib/python/Products/ZCatalog/dtml/catalogStatus.dtml 1.2 => 1.3 ===
--- Zope/lib/python/Products/ZCatalog/dtml/catalogStatus.dtml:1.2	Mon Jan  8 17:47:03 2001
+++ Zope/lib/python/Products/ZCatalog/dtml/catalogStatus.dtml	Sun Dec 22 12:54:07 2002
@@ -26,7 +26,7 @@
 	<font color="red"><b>Disabled</b></font>
       </dtml-if></h3>
 
-    <form action="<dtml-var URL1>" method="POST">
+    <form action="&dtml-URL1;" method="POST">
     <div class="form-element">
       <dtml-if threshold>
 	<input class="form-element" type="submit" 
@@ -49,8 +49,7 @@
       memory.  If this number is higher, the Catalog will index
       quickly but consume much more memory.</p>
 
-      Subtransaction threshold: <input name="threshold:int" value="<dtml-var
-      threshold html_quote>" />
+      Subtransaction threshold: <input name="threshold:int" value="&dtml-threshold;" />
       <br>
       <div class="form-element">
       <input type="submit" name="submit" value="Save Changes">
@@ -65,7 +64,7 @@
       <dtml-in index_objects sort=id>
       <li>
 	<dtml-var "_.len(_['sequence-item'])"> 
-	object are indexed in <b><dtml-var "_['sequence-item'].id"></b>
+	object are indexed in <b><dtml-var "_['sequence-item'].id" html_quote></b>
       </li>
       </dtml-in>
     </ul>


=== Zope/lib/python/Products/ZCatalog/dtml/catalogView.dtml 1.7 => 1.8 ===
--- Zope/lib/python/Products/ZCatalog/dtml/catalogView.dtml:1.7	Mon Dec 16 13:11:31 2002
+++ Zope/lib/python/Products/ZCatalog/dtml/catalogView.dtml	Sun Dec 22 12:54:07 2002
@@ -28,20 +28,19 @@
 //-->
 </script>
 
-<form action="<dtml-var name="URL1">" name="objectItems">
+<form action="&dtml-URL1;" name="objectItems">
 
 <p class="form-text">
-<dtml-var id> contains <dtml-var 
- searchResults fmt=collection-length thousands_commas> record(s).
+&dtml-id; contains <dtml-var searchResults fmt=collection-length thousands_commas> record(s).
 </p>
   <div class="form-text">
   <dtml-in searchResults previous size=20 start=query_start >
-    <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+    <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
       [Previous <dtml-var previous-sequence-size> entries]
     </a>
   </dtml-in>
   <dtml-in searchResults next size=20 start=query_start >
-    <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+    <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
       [Next <dtml-var next-sequence-size> entries]
     </a>
   </dtml-in>
@@ -72,7 +71,7 @@
     <td align="left" valign="top">
     <div class="form-text">
       <dtml-if expr="has_key('meta_type') and meta_type">
-        <dtml-var name="meta_type" size="15">
+        <dtml-var name="meta_type" size="15" html_quote>
       <dtml-else>
         <i>Unknown</i>
       </dtml-if>


=== Zope/lib/python/Products/ZCatalog/dtml/editCatalogerForm.dtml 1.2 => 1.3 ===
--- Zope/lib/python/Products/ZCatalog/dtml/editCatalogerForm.dtml:1.2	Mon Jan  8 17:47:03 2001
+++ Zope/lib/python/Products/ZCatalog/dtml/editCatalogerForm.dtml	Sun Dec 22 12:54:07 2002
@@ -12,7 +12,7 @@
 <span class="form-label">
 Use Catalog: 
 </span>
-<input name="default" value="<dtml-var default_catalog html_quote>">
+<input name="default" value="&dtml-default_catalog;">
 <br>
 <div class="form-element">
 <input class="form-element" type="submit" value="Save Changes">


=== Zope/lib/python/Products/ZCatalog/dtml/manage_vocab.dtml 1.3 => 1.4 ===
--- Zope/lib/python/Products/ZCatalog/dtml/manage_vocab.dtml:1.3	Fri Jan 26 14:00:13 2001
+++ Zope/lib/python/Products/ZCatalog/dtml/manage_vocab.dtml	Sun Dec 22 12:54:07 2002
@@ -4,21 +4,20 @@
 <dtml-if words>
 
 <p class="form-text">
-<dtml-var id> contains <em><dtml-var 
- words fmt=collection-length thousands_commas></em>
+&dtml-id; contains <em><dtml-var words fmt=collection-length thousands_commas></em>
  word(s).
 </p>
 
 <dtml-in words previous size=20 start=query_start >
   <span class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
     [Previous <dtml-var previous-sequence-size> entries]
   </a>
   </span>
 </dtml-in>
 <dtml-in words next size=20 start=query_start >
   <span class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
     [Next <dtml-var next-sequence-size> entries]
   </a>
   </span>
@@ -48,7 +47,7 @@
 
 <dtml-in words previous size=20 start=query_start >
   <div class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
     [Previous <dtml-var previous-sequence-size> entries]
   </a>
   </div>
@@ -56,7 +55,7 @@
 
 <dtml-in words next size=20 start=query_start >
   <div class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
     [Next <dtml-var next-sequence-size> entries]
   </a>
   </div>


=== Zope/lib/python/Products/ZCatalog/dtml/vocab_manage_main.dtml 1.2 => 1.3 ===
--- Zope/lib/python/Products/ZCatalog/dtml/vocab_manage_main.dtml:1.2	Mon Jan  8 17:47:03 2001
+++ Zope/lib/python/Products/ZCatalog/dtml/vocab_manage_main.dtml	Sun Dec 22 12:54:07 2002
@@ -1,7 +1,7 @@
 <dtml-var manage_page_header>
 <dtml-var manage_tabs>
 
-<h2>Edit <dtml-var id></h2>
+<h2>Edit &dtml-id;</h2>
 
 <!--