[Zope-Checkins] CVS: Zope/lib/python/HelpSys - HelpSys.py:1.24.6.1
Tres Seaver
tseaver at zope.com
Thu Jan 8 16:13:35 EST 2004
Update of /cvs-repository/Zope/lib/python/HelpSys
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/HelpSys
Modified Files:
Tag: Zope-2_6-branch
HelpSys.py
Log Message:
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
See Collector #813 for other XSS-related rationale.
=== Zope/lib/python/HelpSys/HelpSys.py 1.24 => 1.24.6.1 ===
--- Zope/lib/python/HelpSys/HelpSys.py:1.24 Wed Aug 14 17:34:42 2002
+++ Zope/lib/python/HelpSys/HelpSys.py Thu Jan 8 16:13:04 2004
@@ -17,6 +17,7 @@
from Globals import Persistent, DTMLFile, HTML
from Products.ZCatalog.ZCatalog import ZCatalog
from Products.ZCatalog.Lazy import LazyCat
+from cgi import escape
import Products
import HelpTopic
import Globals
@@ -103,14 +104,14 @@
)
help_url='%s?help_url=%s' % (self.absolute_url(), help_url)
- script='window.open(\'%s\',\'zope_help\',\'width=600,' \
- 'height=500,menubar=yes,toolbar=yes,scrollbars=yes,' \
- 'resizable=yes\'); return false;' % help_url
+ script="window.open('%s','zope_help','width=600,height=500," \
+ "menubar=yes,toolbar=yes,scrollbars=yes,resizable=yes');" \
+ "return false;" % escape(help_url, 1).replace("'", "\\'")
h_link='<a href="%s" onClick="%s" onMouseOver="window.status=' \
'\'Open online help\'; return true;" onMouseOut="' \
'window.status=\'\'; return true;">Help!</a>' % (
- help_url, script
+ escape(help_url, 1), script
)
return h_link
More information about the Zope-Checkins
mailing list