[Zope-Checkins] CVS: Zope/lib/python/Products/ZopeTutorial/dtml - glossaryView.dtml:1.3.10.1 lessonView.dtml:1.4.10.1

Sun, 22 Dec 2002 11:16:48 -0500

Update of /cvs-repository/Zope/lib/python/Products/ZopeTutorial/dtml
In directory cvs.zope.org:/tmp/cvs-serv2325/lib/python/Products/ZopeTutorial/dtml

Modified Files:
      Tag: Zope-2_6-branch
	glossaryView.dtml lessonView.dtml 
Log Message:
Fixed insufficient quoting in a number of DTML files when displaying
the title. This closes some actual and potential XSS holes. (Collector #595)


=== Zope/lib/python/Products/ZopeTutorial/dtml/glossaryView.dtml 1.3 => 1.3.10.1 ===

--- Zope/lib/python/Products/ZopeTutorial/dtml/glossaryView.dtml:1.3	Sat Jun 29 21:43:48 2002
+++ Zope/lib/python/Products/ZopeTutorial/dtml/glossaryView.dtml	Sun Dec 22 11:16:17 2002
@@ -27,12 +27,12 @@
 }
 </style>
 
-<h2><dtml-var title></h2>
+<h2>&dtml-title;</h2>
 
 <dtml-var expr="formatted_content(REQUEST)">
 
 <p class="feedback">Comments on this lesson?
-<a href="mailto:zdp@zope.org?subject=<dtml-var title>">Email feedback</a>.
+<a href="mailto:zdp@zope.org?subject=&dtml.url_quote_plus-title;">Email feedback</a>.
 </p>
 
 <dtml-var standard_html_footer>


=== Zope/lib/python/Products/ZopeTutorial/dtml/lessonView.dtml 1.4 => 1.4.10.1 ===
--- Zope/lib/python/Products/ZopeTutorial/dtml/lessonView.dtml:1.4	Sat Jun 29 21:43:48 2002
+++ Zope/lib/python/Products/ZopeTutorial/dtml/lessonView.dtml	Sun Dec 22 11:16:17 2002
@@ -27,7 +27,7 @@
 }
 </style>
 
-<h2><dtml-var title></h2>
+<h2>&dtml-title;</h2>
 
 <dtml-var obj>
 
@@ -35,7 +35,7 @@
 <dtml-var tutorialNavigation>
 
 <p class="feedback">Comments on this lesson?
-<a href="mailto:zdp@zope.org?subject=<dtml-var title>">Email feedback</a>.
+<a href="mailto:zdp@zope.org?subject=&dtml.url_quote_plus-title;">Email feedback</a>.
 </p>
 
 <dtml-var standard_html_footer>



