[Zope-Checkins] CVS: Zope/lib/python/Products/PluginIndexes/TextIndex/dtml - addTextIndex.dtml:1.5 manageTextIndex.dtml:1.4 manage_vocab.dtml:1.6
Florent Guillaume
fg@nuxeo.com
Sun, 22 Dec 2002 12:54:33 -0500
Update of /cvs-repository/Zope/lib/python/Products/PluginIndexes/TextIndex/dtml
In directory cvs.zope.org:/tmp/cvs-serv14380/lib/python/Products/PluginIndexes/TextIndex/dtml
Modified Files:
addTextIndex.dtml manageTextIndex.dtml manage_vocab.dtml
Log Message:
Merged efge-death-to-dtml-var-branch into HEAD:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.
=== Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/addTextIndex.dtml 1.4 => 1.5 ===
--- Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/addTextIndex.dtml:1.4 Tue Jun 11 16:20:11 2002
+++ Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/addTextIndex.dtml Sun Dec 22 12:54:01 2002
@@ -45,7 +45,7 @@
<select name="extra.vocabulary:record">
<dtml-in expr="superValues('Vocabulary')">
<option value="&dtml-id;">
- &dtml-id; <dtml-var title fmt="(%s)" null>
+ &dtml-id; <dtml-var title fmt="(%s)" null html_quote>
</option>
</dtml-in>
</select>
=== Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manageTextIndex.dtml 1.3 => 1.4 ===
--- Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manageTextIndex.dtml:1.3 Tue Jun 11 16:20:11 2002
+++ Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manageTextIndex.dtml Sun Dec 22 12:54:01 2002
@@ -15,11 +15,11 @@
<dtml-in "superValues('Vocabulary')">
<dtml-if "getId()==vocabulary_id">
<option value="&dtml-id;" selected>
- &dtml-id; <dtml-var title fmt="(%s)" null>
+ &dtml-id; <dtml-var title fmt="(%s)" null html_quote>
</option>
<dtml-else>
<option value="&dtml-id;">
- &dtml-id; <dtml-var title fmt="(%s)" null>
+ &dtml-id; <dtml-var title fmt="(%s)" null html_quote>
</option>
</dtml-if>
</dtml-in>
=== Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manage_vocab.dtml 1.5 => 1.6 ===
--- Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manage_vocab.dtml:1.5 Mon May 20 14:55:44 2002
+++ Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manage_vocab.dtml Sun Dec 22 12:54:01 2002
@@ -15,7 +15,7 @@
</dtml-try>
<dtml-if useSplitter>
- , Splitter is <em><dtml-var useSplitter></em>
+ , Splitter is <em>&dtml-useSplitter;</em>
</dtml-if>
<dtml-try>
@@ -34,21 +34,20 @@
<dtml-if words>
<p class="form-text">
-<dtml-var id> contains <em><dtml-var
- words fmt=collection-length thousands_commas></em>
+&dtml-id; contains <em><dtml-var words fmt=collection-length thousands_commas></em>
word(s).
</p>
<dtml-in words previous size=20 start=query_start >
<span class="list-nav">
- <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+ <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
[Previous <dtml-var previous-sequence-size> entries]
</a>
</span>
</dtml-in>
<dtml-in words next size=20 start=query_start >
<span class="list-nav">
- <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+ <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
[Next <dtml-var next-sequence-size> entries]
</a>
</span>
@@ -71,7 +70,7 @@
<dtml-if "_.same_type(_['sequence-key'], 'x')">
&dtml-sequence-key;
<dtml-else>
- <dtml-var "_['sequence-key'].encode('utf-8')">
+ <dtml-var "_['sequence-key'].encode('utf-8')" html_quote>
</dtml-if>
</div>
</td>
@@ -84,7 +83,7 @@
<dtml-in words previous size=20 start=query_start >
<div class="list-nav">
- <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+ <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
[Previous <dtml-var previous-sequence-size> entries]
</a>
</div>
@@ -92,7 +91,7 @@
<dtml-in words next size=20 start=query_start >
<div class="list-nav">
- <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+ <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
[Next <dtml-var next-sequence-size> entries]
</a>
</div>