[Zope-Checkins] CVS: Zope/lib/python/DocumentTemplate -
DT_In.py:1.60.6.1 DT_UI.py:1.13.2.1
Tres Seaver
tseaver at zope.com
Thu Jan 8 16:13:35 EST 2004
Update of /cvs-repository/Zope/lib/python/DocumentTemplate
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/DocumentTemplate
Modified Files:
Tag: Zope-2_6-branch
DT_In.py DT_UI.py
Log Message:
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
See Collector #813 for other XSS-related rationale.
=== Zope/lib/python/DocumentTemplate/DT_In.py 1.60 => 1.60.6.1 ===
--- Zope/lib/python/DocumentTemplate/DT_In.py:1.60 Wed Aug 14 18:29:52 2002
+++ Zope/lib/python/DocumentTemplate/DT_In.py Thu Jan 8 16:13:03 2004
@@ -179,10 +179,8 @@
... display rows
<!--#if sequence-end--> <!--#if next-sequence-->
- <a href="<!--#var URL-->/<!--#var sequence-query
- -->&batch_start=<!--#var
- next-sequence-start-number-->">
- (Next <!--#var next-sequence-size--> results)
+ <a href="&dtml-URL;/&dtml-sequence-query;batch_start=&dtml-next-sequence-start-number;">
+ (Next &dtml-next-sequence-size; results)
</a>
<!--#/if--> <!--#/if-->
@@ -191,7 +189,7 @@
If the original URL is: 'foo/bar?x=1&y=2', then the
rendered text (after row data are displayed) will be::
- <a href="foo/bar?x=1&y=2&batch_start=20">
+ <a href="foo/bar?x=1&y=2&batch_start=20">
(Next 20 results)
</a>
@@ -199,7 +197,7 @@
then the rendered text (after row data are displayed)
will be::
- <a href="foo/bar?x=1&y=2&batch_start=30">
+ <a href="foo/bar?x=1&y=2&batch_start=30">
(Next 20 results)
</a>
=== Zope/lib/python/DocumentTemplate/DT_UI.py 1.13 => 1.13.2.1 ===
--- Zope/lib/python/DocumentTemplate/DT_UI.py:1.13 Mon Aug 26 09:30:18 2002
+++ Zope/lib/python/DocumentTemplate/DT_UI.py Thu Jan 8 16:13:03 2004
@@ -36,31 +36,27 @@
<BODY bgcolor="#FFFFFF">
<!--#var document_template_edit_header-->
- <FORM name="editform" ACTION="<!--#var URL1-->/manage_edit" METHOD="POST">
+ <FORM name="editform" ACTION="&dtml-URL1;/manage_edit" METHOD="POST">
<!--#var document_template_form_header-->
Document template source:
<center>
<br>
- <TEXTAREA NAME="data:text" cols="<!--#var document_template_edit_width-->"
+ <TEXTAREA NAME="data:text" cols="&dtml-document_template_edit_width;"
rows="20"><!--#var __str__--></TEXTAREA>
<br>
<INPUT NAME=SUBMIT TYPE="SUBMIT" VALUE="Change">
<INPUT NAME=SUBMIT TYPE="RESET" VALUE="Reset">
- <INPUT NAME="dt_edit_name" TYPE="HIDDEN"
- VALUE="<!--#var URL1-->">
+ <INPUT NAME="dt_edit_name" TYPE="HIDDEN" VALUE="&dtml-URL1;">
<!--#if FactoryDefaultString-->
- <INPUT NAME=SUBMIT TYPE="SUBMIT"
- VALUE="<!--#var FactoryDefaultString-->">
+ <INPUT NAME=SUBMIT TYPE="SUBMIT" VALUE="&dtml-FactoryDefaultString;">
<!--#/if FactoryDefaultString-->
<INPUT NAME=SUBMIT TYPE="SUBMIT" VALUE="Cancel">
<!--#if HTTP_REFERER-->
- <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN"
- VALUE="<!--#var HTTP_REFERER-->">
+ <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN" VALUE="&dtml-HTTP_REFERER;">
<!--#else HTTP_REFERER-->
<!--#if URL1-->
- <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN"
- VALUE="<!--#var URL1-->">
+ <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN" VALUE="&dtml-URL1;">
<!--#/if URL1-->
<!--#/if HTTP_REFERER-->
</center>
@@ -75,14 +71,14 @@
HTML.editConfirmation=HTML(
"""<html><head><title>Change Successful</title></head><body>
<!--#if CANCEL_ACTION-->
- <form action="<!--#var CANCEL_ACTION-->" method="POST">
+ <form action="&dtml-CANCEL_ACTION;" method="POST">
<center>
- <em><!--#var dt_edit_name--></em><br>has been changed.<br><br>
+ <em>&dtml-dt_edit_name;</em><br>has been changed.<br><br>
<input type=submit name="SUBMIT" value="OK">
</center>
</form></body></html>
<!--#else CANCEL_ACTION-->
<center>
- <em><!--#var dt_edit_name--></em><br>has been changed.
+ <em>&dtml-dt_edit_name;</em><br>has been changed.
</center>
<!--#/if CANCEL_ACTION-->""")
More information about the Zope-Checkins
mailing list