[Zope-Checkins] CVS: Zope/lib/python/Products/ZCTextIndex/dtml - addLexicon.dtml:1.8.26.1 addZCTextIndex.dtml:1.5.26.1 manageZCTextIndex.dtml:1.7.18.1

Florent Guillaume fg@nuxeo.com
Wed, 23 Oct 2002 19:06:46 -0400 

Update of /cvs-repository/Zope/lib/python/Products/ZCTextIndex/dtml
In directory cvs.zope.org:/tmp/cvs-serv26857/lib/python/Products/ZCTextIndex/dtml

Modified Files:
      Tag: efge-death-to-dtml-var-branch
	addLexicon.dtml addZCTextIndex.dtml manageZCTextIndex.dtml 
Log Message:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.


=== Zope/lib/python/Products/ZCTextIndex/dtml/addLexicon.dtml 1.8 => 1.8.26.1 ===
--- Zope/lib/python/Products/ZCTextIndex/dtml/addLexicon.dtml:1.8	Tue Jun  4 15:56:32 2002
+++ Zope/lib/python/Products/ZCTextIndex/dtml/addLexicon.dtml	Wed Oct 23 19:06:15 2002
@@ -53,7 +53,7 @@
             </select>
           <dtml-else>
             <input type="checkbox" name="elements.name:records" 
-                   value="<dtml-var expr="elements[0]">" checked />
+                   value="<dtml-var expr="elements[0]" html_quote>" checked />
           </dtml-if>
         </td>
       </tr>


=== Zope/lib/python/Products/ZCTextIndex/dtml/addZCTextIndex.dtml 1.5 => 1.5.26.1 ===
--- Zope/lib/python/Products/ZCTextIndex/dtml/addZCTextIndex.dtml:1.5	Tue Jun  4 15:56:32 2002
+++ Zope/lib/python/Products/ZCTextIndex/dtml/addZCTextIndex.dtml	Wed Oct 23 19:06:15 2002
@@ -65,7 +65,7 @@
         <select name="extra.lexicon_id:record">
       </dtml-if>
       <option value="&dtml-id;">
-        &dtml-id; <dtml-var name="title" fmt="(%s)" null>
+        &dtml-id; <dtml-var name="title" fmt="(%s)" null html_quote>
       </option>
       <dtml-if sequence-end>
         </select>


=== Zope/lib/python/Products/ZCTextIndex/dtml/manageZCTextIndex.dtml 1.7 => 1.7.18.1 ===
--- Zope/lib/python/Products/ZCTextIndex/dtml/manageZCTextIndex.dtml:1.7	Thu Sep  5 16:41:13 2002
+++ Zope/lib/python/Products/ZCTextIndex/dtml/manageZCTextIndex.dtml	Wed Oct 23 19:06:15 2002
@@ -3,17 +3,17 @@
 
 <p class="form-help">
   Name of attribute indexed: 
-  <em><dtml-var getFieldName></em>
+  <em>&dtml-getFieldName;</em>
 </p>
 <p class="form-help">
   Index type: 
-  <em><dtml-var getIndexType></em>
+  <em>&dtml-getIndexType;</em>
 </p>
 <p class="form-help">
   ZCTextIndex Lexicon used: 
   <dtml-if getLexiconURL>
-    <a href="<dtml-var getLexiconURL>/manage_main"
-    ><dtml-var getLexiconURL></a>
+    <a href="&dtml.url_quote-getLexiconURL;/manage_main"
+    >&dtml-getLexiconURL;</a>
   <dtml-else>
     <em>(Lexicon Not Found)</em>
   </dtml-if>