[Zope-Checkins] CVS: Zope/lib/python/Products/PluginIndexes/common - UnIndex.py:1.7.12.2
Martijn Pieters
mj@zope.com
Thu, 1 Aug 2002 12:01:29 -0400
Update of /cvs-repository/Zope/lib/python/Products/PluginIndexes/common
In directory cvs.zope.org:/tmp/cvs-serv9310/lib/python/Products/PluginIndexes/common
Modified Files:
Tag: Zope-2_5-branch
UnIndex.py
Log Message:
Big change, merge from trunk.
- Make DTML automatically html quote data indirectly taken from REQUEST
which contain a '<'. Make sure (almost) all string operation preserve the
taint on this data.
- Fix exceptions that use REQUEST data; quote the data.
- Don't let form and cookie values mask the REQUEST computed values such as
URL0 and BASE1.
=== Zope/lib/python/Products/PluginIndexes/common/UnIndex.py 1.7.12.1 => 1.7.12.2 ===
from Products.PluginIndexes.common.util import parseIndexRequest
import sys
+from cgi import escape
_marker = []
@@ -316,7 +317,7 @@
# experimental code for specifing the operator
operator = record.get('operator',self.useOperator)
if not operator in self.operators :
- raise RuntimeError,"operator not valid: %s" % operator
+ raise RuntimeError,"operator not valid: %s" % escape(operator)
# depending on the operator we use intersection or union
if operator=="or": set_func = union