[Zope-Checkins] CVS: Zope/lib/python/Products/PluginIndexes/TextIndex - TextIndex.py:1.25.4.3

Martijn Pieters mj@zope.com
Thu, 1 Aug 2002 12:01:28 -0400


Update of /cvs-repository/Zope/lib/python/Products/PluginIndexes/TextIndex
In directory cvs.zope.org:/tmp/cvs-serv9310/lib/python/Products/PluginIndexes/TextIndex

Modified Files:
      Tag: Zope-2_5-branch
	TextIndex.py 
Log Message:
Big change, merge from trunk.

- Make DTML automatically html quote data indirectly taken from REQUEST
  which contain a '<'. Make sure (almost) all string operation preserve the
  taint on this data.

- Fix exceptions that use REQUEST data; quote the data.

- Don't let form and cookie values mask the REQUEST computed values such as
  URL0 and BASE1.


=== Zope/lib/python/Products/PluginIndexes/TextIndex/TextIndex.py 1.25.4.2 => 1.25.4.3 ===
 from Lexicon import Lexicon
 
 from types import *
+from cgi import escape
 
 class Op:
     def __init__(self, name):
@@ -482,7 +483,7 @@
         query_operator = operator_dict.get(qop)
         if query_operator is None:
             raise exceptions.RuntimeError, ("Invalid operator '%s' "
-                                            "for a TextIndex" % qop)
+                                            "for a TextIndex" % escape(qop))
         r = None
 
         for key in record.keys: