[Zope-Checkins] CVS: Zope/lib/python/Products/ZSQLMethods/dtml - add.dtml:1.3.202.1 edit.dtml:1.3.200.1

Florent Guillaume fg@nuxeo.com
Wed, 23 Oct 2002 19:06:46 -0400


Update of /cvs-repository/Zope/lib/python/Products/ZSQLMethods/dtml
In directory cvs.zope.org:/tmp/cvs-serv26857/lib/python/Products/ZSQLMethods/dtml

Modified Files:
      Tag: efge-death-to-dtml-var-branch
	add.dtml edit.dtml 
Log Message:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.


=== Zope/lib/python/Products/ZSQLMethods/dtml/add.dtml 1.3 => 1.3.202.1 ===
--- Zope/lib/python/Products/ZSQLMethods/dtml/add.dtml:1.3	Thu Jan 18 10:47:35 2001
+++ Zope/lib/python/Products/ZSQLMethods/dtml/add.dtml	Wed Oct 23 19:06:16 2002
@@ -53,7 +53,7 @@
     <select name="connection_id">
               <dtml-in SQLConnectionIDs>
                 <option value="&dtml-sequence-item;">
-                <dtml-var sequence-key></option>
+                &dtml-sequence-key;</option>
               </dtml-in>
     </select>
     </div>


=== Zope/lib/python/Products/ZSQLMethods/dtml/edit.dtml 1.3 => 1.3.200.1 ===
--- Zope/lib/python/Products/ZSQLMethods/dtml/edit.dtml:1.3	Wed Jan 31 16:26:55 2001
+++ Zope/lib/python/Products/ZSQLMethods/dtml/edit.dtml	Wed Oct 23 19:06:16 2002
@@ -23,7 +23,7 @@
   </td>
   <td align="left" valign="top">
   <input type="text" name="title" size="40" value="<dtml-if 
-   title><dtml-var title></dtml-if>">
+   title>&dtml-title;</dtml-if>">
   </td>
 </tr>
   <tr>
@@ -39,7 +39,7 @@
                 <option value="&dtml-sequence-item;"<dtml-if 
                  expr="connection_id==_vars['sequence-item']">
                  selected</dtml-if>>
-                <dtml-var sequence-key></option>
+                &dtml-sequence-key;</option>
               </dtml-in>
     </select>
     </div>
@@ -60,8 +60,7 @@
   <div style="width: 100%;">
   <textarea name="template:text" wrap="off" style="width: 100%;"
    cols=<dtml-var sql_pref__cols html_quote missing="60">
-   rows=<dtml-var sql_pref__rows html_quote missing="20">><dtml-var
-   src fmt="html-quote"></textarea>
+   rows=<dtml-var sql_pref__rows html_quote missing="20">>&dtml-src;</textarea>
   </div>
     </td>
   </tr>