[Zope-Checkins] CVS: Zope/lib/python/Products/PythonScripts/www - pyScriptProxy.dtml:1.3
Florent Guillaume
fg@nuxeo.com
Sun, 22 Dec 2002 12:54:34 -0500
Update of /cvs-repository/Zope/lib/python/Products/PythonScripts/www
In directory cvs.zope.org:/tmp/cvs-serv14380/lib/python/Products/PythonScripts/www
Modified Files:
pyScriptProxy.dtml
Log Message:
Merged efge-death-to-dtml-var-branch into HEAD:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.
=== Zope/lib/python/Products/PythonScripts/www/pyScriptProxy.dtml 1.2 => 1.3 ===
--- Zope/lib/python/Products/PythonScripts/www/pyScriptProxy.dtml:1.2 Mon Jan 8 17:47:02 2001
+++ Zope/lib/python/Products/PythonScripts/www/pyScriptProxy.dtml Sun Dec 22 12:54:03 2002
@@ -24,7 +24,7 @@
<dtml-if expr="_vars['sequence-item'] != 'Shared'">
<option <dtml-if
expr="manage_haveProxy(_vars['sequence-item'])">selected</dtml-if
- >><dtml-var sequence-item></option>
+ >>&dtml-sequence-item;</option>
</dtml-if>
</dtml-in valid_roles>
</select>