[Zope-Checkins] CVS: Zope/lib/python/HelpSys/dtml - menu.dtml:1.3.64.1 menu_header.dtml:1.2.212.1 topic_header.dtml:1.2.212.1
Florent Guillaume
fg@nuxeo.com
Sun, 22 Dec 2002 11:16:46 -0500
Update of /cvs-repository/Zope/lib/python/HelpSys/dtml
In directory cvs.zope.org:/tmp/cvs-serv2325/lib/python/HelpSys/dtml
Modified Files:
Tag: Zope-2_6-branch
menu.dtml menu_header.dtml topic_header.dtml
Log Message:
Fixed insufficient quoting in a number of DTML files when displaying
the title. This closes some actual and potential XSS holes. (Collector #595)
=== Zope/lib/python/HelpSys/dtml/menu.dtml 1.3 => 1.3.64.1 ===
--- Zope/lib/python/HelpSys/dtml/menu.dtml:1.3 Thu Feb 28 08:28:39 2002
+++ Zope/lib/python/HelpSys/dtml/menu.dtml Sun Dec 22 11:16:15 2002
@@ -4,9 +4,9 @@
<dtml-tree sort=id>
<dtml-if "meta_type =='Help Topic'">
- <a href="<dtml-var absolute_url>" target="help_main"><dtml-var title_or_id></a>
+ <a href="<dtml-var absolute_url>" target="help_main">&dtml-title_or_id;</a>
<dtml-else>
- <dtml-var title>
+ &dtml-title;
</dtml-if>
</dtml-tree>
=== Zope/lib/python/HelpSys/dtml/menu_header.dtml 1.2 => 1.2.212.1 ===
--- Zope/lib/python/HelpSys/dtml/menu_header.dtml:1.2 Mon Jan 8 17:46:58 2001
+++ Zope/lib/python/HelpSys/dtml/menu_header.dtml Sun Dec 22 11:16:15 2002
@@ -1,5 +1,5 @@
<html>
<head>
- <title><dtml-var title></title>
+ <title>&dtml-title;</title>
</head>
<body bgcolor="#FFFFFF">
=== Zope/lib/python/HelpSys/dtml/topic_header.dtml 1.2 => 1.2.212.1 ===
--- Zope/lib/python/HelpSys/dtml/topic_header.dtml:1.2 Mon Jan 8 17:46:58 2001
+++ Zope/lib/python/HelpSys/dtml/topic_header.dtml Sun Dec 22 11:16:15 2002
@@ -1,6 +1,6 @@
<html>
<head>
-<title><dtml-var title></title>
+<title>&dtml-title;</title>
<style type="text/css">