[Zope-Checkins] CVS: Zope/doc - CHANGES.txt:1.406.2.61
Martijn Pieters
mj@zope.com
Thu, 1 Aug 2002 12:01:27 -0400
Update of /cvs-repository/Zope/doc
In directory cvs.zope.org:/tmp/cvs-serv9310/doc
Modified Files:
Tag: Zope-2_5-branch
CHANGES.txt
Log Message:
Big change, merge from trunk.
- Make DTML automatically html quote data indirectly taken from REQUEST
which contain a '<'. Make sure (almost) all string operation preserve the
taint on this data.
- Fix exceptions that use REQUEST data; quote the data.
- Don't let form and cookie values mask the REQUEST computed values such as
URL0 and BASE1.
=== Zope/doc/CHANGES.txt 1.406.2.60 => 1.406.2.61 ===
New Features
+ - <dtml-var name> and &dtml.-name; will now automatically HTML-quote
+ unsafe data taken implictly from the REQUEST object. Data taken
+ explicitly from the REQUEST object is not affected, as well as any
+ other data not originating from REQUEST.
+
Bugs Fixed
- Collector #72: Start on Windows 95 machines with no network
@@ -37,6 +42,9 @@
storage.
- Collector #421: Leak of object in cAccessControl.
+
+ - Exceptions that use untrusted information from a REQUEST object in
+ the exception message now html-quote that information.
Zope 2.5.1