[Zope-Checkins] CVS: Zope/lib/python/Products/ZopeTutorial/dtml - glossaryView.dtml:1.4 lessonView.dtml:1.5 tutorialNav.dtml:1.3

Florent Guillaume fg@nuxeo.com
Sun, 22 Dec 2002 12:54:40 -0500 

Update of /cvs-repository/Zope/lib/python/Products/ZopeTutorial/dtml
In directory cvs.zope.org:/tmp/cvs-serv14380/lib/python/Products/ZopeTutorial/dtml

Modified Files:
	glossaryView.dtml lessonView.dtml tutorialNav.dtml 
Log Message:
Merged efge-death-to-dtml-var-branch into HEAD:

Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.


=== Zope/lib/python/Products/ZopeTutorial/dtml/glossaryView.dtml 1.3 => 1.4 ===
--- Zope/lib/python/Products/ZopeTutorial/dtml/glossaryView.dtml:1.3	Sat Jun 29 21:43:48 2002
+++ Zope/lib/python/Products/ZopeTutorial/dtml/glossaryView.dtml	Sun Dec 22 12:54:09 2002
@@ -27,12 +27,12 @@
 }
 </style>
 
-<h2><dtml-var title></h2>
+<h2>&dtml-title;</h2>
 
 <dtml-var expr="formatted_content(REQUEST)">
 
 <p class="feedback">Comments on this lesson?
-<a href="mailto:zdp@zope.org?subject=<dtml-var title>">Email feedback</a>.
+<a href="mailto:zdp@zope.org?subject=&dtml.url_quote_plus-title;">Email feedback</a>.
 </p>
 
 <dtml-var standard_html_footer>


=== Zope/lib/python/Products/ZopeTutorial/dtml/lessonView.dtml 1.4 => 1.5 ===
--- Zope/lib/python/Products/ZopeTutorial/dtml/lessonView.dtml:1.4	Sat Jun 29 21:43:48 2002
+++ Zope/lib/python/Products/ZopeTutorial/dtml/lessonView.dtml	Sun Dec 22 12:54:09 2002
@@ -27,7 +27,7 @@
 }
 </style>
 
-<h2><dtml-var title></h2>
+<h2>&dtml-title;</h2>
 
 <dtml-var obj>
 
@@ -35,7 +35,7 @@
 <dtml-var tutorialNavigation>
 
 <p class="feedback">Comments on this lesson?
-<a href="mailto:zdp@zope.org?subject=<dtml-var title>">Email feedback</a>.
+<a href="mailto:zdp@zope.org?subject=&dtml.url_quote_plus-title;">Email feedback</a>.
 </p>
 
 <dtml-var standard_html_footer>


=== Zope/lib/python/Products/ZopeTutorial/dtml/tutorialNav.dtml 1.2 => 1.3 ===
--- Zope/lib/python/Products/ZopeTutorial/dtml/tutorialNav.dtml:1.2	Mon Jan  8 17:47:05 2001
+++ Zope/lib/python/Products/ZopeTutorial/dtml/tutorialNav.dtml	Sun Dec 22 12:54:09 2002
@@ -7,7 +7,7 @@
 <tr valign="top"><td width="50%" align="right">
 
 <dtml-if "i > 0">
-  <form action="../<dtml-var "ids[i-1]">">
+  <form action="../<dtml-var "ids[i-1]" url_quote>">
   <div class="form-element">
   <input class="form-element" type="submit" value=" &lt; Back ">
   </div>
@@ -19,7 +19,7 @@
 
 <dtml-unless hide_next>
 <dtml-if "i < _.len(ids) -1 ">
-  <form action="../<dtml-var "ids[i+1]">">
+  <form action="../<dtml-var "ids[i+1]" url_quote>">
   <div class="form-element">
   <input class="form-element" type="submit" value=" Next &gt; ">
   </div>