[Zope-Checkins] CVS: Zope/lib/python/ZPublisher -
HTTPResponse.py:1.69.4.6
Tres Seaver
tseaver at zope.com
Thu Jan 8 16:13:44 EST 2004
Update of /cvs-repository/Zope/lib/python/ZPublisher
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/ZPublisher
Modified Files:
Tag: Zope-2_6-branch
HTTPResponse.py
Log Message:
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
See Collector #813 for other XSS-related rationale.
=== Zope/lib/python/ZPublisher/HTTPResponse.py 1.69.4.5 => 1.69.4.6 ===
--- Zope/lib/python/ZPublisher/HTTPResponse.py:1.69.4.5 Tue Jul 8 02:01:30 2003
+++ Zope/lib/python/ZPublisher/HTTPResponse.py Thu Jan 8 16:13:13 2004
@@ -453,7 +453,8 @@
ibase = base_re_search(body)
if ibase is None:
self.body = ('%s\n<base href="%s" />\n%s' %
- (body[:index], self.base, body[index:]))
+ (body[:index], self.quoteHTML(self.base),
+ body[index:]))
self.setHeader('content-length', len(self.body))
def appendCookie(self, name, value):
More information about the Zope-Checkins
mailing list