[Zope-Checkins] CVS: Zope/lib/python/Products/ZSQLMethods/dtml - add.dtml:1.4 edit.dtml:1.4
Florent Guillaume
fg@nuxeo.com
Sun, 22 Dec 2002 12:54:39 -0500
Update of /cvs-repository/Zope/lib/python/Products/ZSQLMethods/dtml
In directory cvs.zope.org:/tmp/cvs-serv14380/lib/python/Products/ZSQLMethods/dtml
Modified Files:
add.dtml edit.dtml
Log Message:
Merged efge-death-to-dtml-var-branch into HEAD:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.
=== Zope/lib/python/Products/ZSQLMethods/dtml/add.dtml 1.3 => 1.4 ===
--- Zope/lib/python/Products/ZSQLMethods/dtml/add.dtml:1.3 Thu Jan 18 10:47:35 2001
+++ Zope/lib/python/Products/ZSQLMethods/dtml/add.dtml Sun Dec 22 12:54:08 2002
@@ -53,7 +53,7 @@
<select name="connection_id">
<dtml-in SQLConnectionIDs>
<option value="&dtml-sequence-item;">
- <dtml-var sequence-key></option>
+ &dtml-sequence-key;</option>
</dtml-in>
</select>
</div>
=== Zope/lib/python/Products/ZSQLMethods/dtml/edit.dtml 1.3 => 1.4 ===
--- Zope/lib/python/Products/ZSQLMethods/dtml/edit.dtml:1.3 Wed Jan 31 16:26:55 2001
+++ Zope/lib/python/Products/ZSQLMethods/dtml/edit.dtml Sun Dec 22 12:54:08 2002
@@ -23,7 +23,7 @@
</td>
<td align="left" valign="top">
<input type="text" name="title" size="40" value="<dtml-if
- title><dtml-var title></dtml-if>">
+ title>&dtml-title;</dtml-if>">
</td>
</tr>
<tr>
@@ -39,7 +39,7 @@
<option value="&dtml-sequence-item;"<dtml-if
expr="connection_id==_vars['sequence-item']">
selected</dtml-if>>
- <dtml-var sequence-key></option>
+ &dtml-sequence-key;</option>
</dtml-in>
</select>
</div>
@@ -60,8 +60,7 @@
<div style="width: 100%;">
<textarea name="template:text" wrap="off" style="width: 100%;"
cols=<dtml-var sql_pref__cols html_quote missing="60">
- rows=<dtml-var sql_pref__rows html_quote missing="20">><dtml-var
- src fmt="html-quote"></textarea>
+ rows=<dtml-var sql_pref__rows html_quote missing="20">>&dtml-src;</textarea>
</div>
</td>
</tr>