[Zope-Checkins] CVS: Zope/lib/python/Products/OFSP -
Version.py:1.53.6.1
Tres Seaver
tseaver at zope.com
Thu Jan 8 16:13:38 EST 2004
Update of /cvs-repository/Zope/lib/python/Products/OFSP
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/Products/OFSP
Modified Files:
Tag: Zope-2_6-branch
Version.py
Log Message:
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
See Collector #813 for other XSS-related rationale.
=== Zope/lib/python/Products/OFSP/Version.py 1.53 => 1.53.6.1 ===
--- Zope/lib/python/Products/OFSP/Version.py:1.53 Wed Aug 14 18:16:04 2002
+++ Zope/lib/python/Products/OFSP/Version.py Thu Jan 8 16:13:06 2004
@@ -23,6 +23,7 @@
from Globals import HTML
from App.Dialogs import MessageDialog
from OFS.ObjectManager import BeforeDeleteException
+from cgi import escape
class VersionException(BeforeDeleteException): pass
@@ -108,7 +109,7 @@
action=REQUEST['URL1']+'/manage_main',
message=('If cookies are enabled by your browser, then '
'you should have joined version %s.'
- % self.id)
+ % escape(self.id))
)
return RESPONSE.redirect(REQUEST['URL1']+'/manage_main')
More information about the Zope-Checkins
mailing list