[Zope-Checkins] CVS: Zope/lib/python/ZClasses/dtml - contents.dtml:1.2.212.1
Florent Guillaume
fg@nuxeo.com
Sun, 22 Dec 2002 11:16:19 -0500
Update of /cvs-repository/Zope/lib/python/ZClasses/dtml
In directory cvs.zope.org:/tmp/cvs-serv2325/lib/python/ZClasses/dtml
Modified Files:
Tag: Zope-2_6-branch
contents.dtml
Log Message:
Fixed insufficient quoting in a number of DTML files when displaying
the title. This closes some actual and potential XSS holes. (Collector #595)
=== Zope/lib/python/ZClasses/dtml/contents.dtml 1.2 => 1.2.212.1 ===
--- Zope/lib/python/ZClasses/dtml/contents.dtml:1.2 Mon Jan 8 17:47:07 2001
+++ Zope/lib/python/ZClasses/dtml/contents.dtml Sun Dec 22 11:16:18 2002
@@ -28,7 +28,7 @@
<dtml-var "_['sequence-key'][10:]">
<dtml-else ><dtml-var sequence-key>
</dtml-if>
- <dtml-if title>(<dtml-var title>)</dtml-if>
+ <dtml-if title>(&dtml-title;)</dtml-if>
</A>
<dtml-if locked_in_version>
<dtml-if modified_in_version>
@@ -63,7 +63,7 @@
<TABLE BORDER="0" CELLSPACING="0" CELLPADDING="2">
<TR>
<TD>
-There are currently no items in <EM><dtml-var title_or_id></EM>
+There are currently no items in <EM>&dtml-title_or_id;</EM>
<P>
<dtml-if cb_dataValid>
<INPUT TYPE="SUBMIT" NAME="manage_pasteObjects:method" VALUE="Paste">