[Zope-Checkins] CVS: Zope/lib/python/Products/PluginIndexes/common - UnIndex.py:1.13
Martijn Pieters
mj@zope.com
Thu, 1 Aug 2002 12:01:11 -0400
Update of /cvs-repository/Zope/lib/python/Products/PluginIndexes/common
In directory cvs.zope.org:/tmp/cvs-serv9325/lib/python/Products/PluginIndexes/common
Modified Files:
UnIndex.py
Log Message:
Big change
- Make DTML automatically html quote data indirectly taken from REQUEST
which contain a '<'. Make sure (almost) all string operation preserve the
taint on this data.
- Fix exceptions that use REQUEST data; quote the data.
- Don't let form and cookie values mask the REQUEST computed values such as
URL0 and BASE1.
=== Zope/lib/python/Products/PluginIndexes/common/UnIndex.py 1.12 => 1.13 ===
from Products.PluginIndexes.common.util import parseIndexRequest
import sys
+from cgi import escape
_marker = []
@@ -330,7 +331,7 @@
# experimental code for specifing the operator
operator = record.get('operator',self.useOperator)
if not operator in self.operators :
- raise RuntimeError,"operator not valid: %s" % operator
+ raise RuntimeError,"operator not valid: %s" % escape(operator)
# depending on the operator we use intersection or union
if operator=="or": set_func = union