[Zope-Checkins] CVS: Zope/lib/python/ZTUtils - SimpleTree.py:1.3.6.2

Tres Seaver tseaver at zope.com
Thu Jan 8 16:13:14 EST 2004


Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/ZTUtils

Modified Files:
      Tag: Zope-2_6-branch
	SimpleTree.py 
Log Message:


   - Browsers that do not escape html in query strings such as 
     Internet Explorer 5.5 could potentially send a script tag in a 
     query string to the ZSearch interface for cross-site scripting.
     See Collector #813 for other XSS-related rationale.


=== Zope/lib/python/ZTUtils/SimpleTree.py 1.3.6.1 => 1.3.6.2 ===
--- Zope/lib/python/ZTUtils/SimpleTree.py:1.3.6.1	Thu Oct  3 17:09:14 2002
+++ Zope/lib/python/ZTUtils/SimpleTree.py	Thu Jan  8 16:13:14 2004
@@ -16,6 +16,7 @@
 __version__='$Revision$'[11:-2]
 
 from Tree import TreeMaker, TreeNode, b2a
+from cgi import escape
 
 class SimpleTreeNode(TreeNode):
     def branch(self):
@@ -35,9 +36,10 @@
         obid = self.id
         pre = self.aq_acquire('tree_pre')
 
-        return {'link': '?%s-setstate=%s,%s,%s#%s' % (pre, setst[0],
-                                                      exnum, obid, obid),
-        'img': '<img src="%s/p_/%s" alt="%s" border="0">' % (base, img, setst)}
+        return {'link': '?%s-setstate=%s,%s,%s#%s' % \
+                        (pre, setst[0], exnum, obid, obid),
+                'img': '<img src="%s/p_/%s" alt="%s" border="0">' % \
+                        (escape(base, 1), img, setst)}
 
 
 class SimpleTreeMaker(TreeMaker):




More information about the Zope-Checkins mailing list