[Zope-Checkins] CVS: Zope/lib/python/Shared/DC/ZRDB/dtml - advanced.dtml:1.2.230.1 connectionAdd.dtml:1.2.230.1 connectionEdit.dtml:1.2.230.1 customDefaultReport.dtml:1.3.114.1 searchAdd.dtml:1.3.114.1
Florent Guillaume
fg@nuxeo.com
Wed, 23 Oct 2002 19:06:17 -0400
Update of /cvs-repository/Zope/lib/python/Shared/DC/ZRDB/dtml
In directory cvs.zope.org:/tmp/cvs-serv26857/lib/python/Shared/DC/ZRDB/dtml
Modified Files:
Tag: efge-death-to-dtml-var-branch
advanced.dtml connectionAdd.dtml connectionEdit.dtml
customDefaultReport.dtml searchAdd.dtml
Log Message:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.
=== Zope/lib/python/Shared/DC/ZRDB/dtml/advanced.dtml 1.2 => 1.2.230.1 ===
--- Zope/lib/python/Shared/DC/ZRDB/dtml/advanced.dtml:1.2 Mon Jan 8 17:47:06 2001
+++ Zope/lib/python/Shared/DC/ZRDB/dtml/advanced.dtml Wed Oct 23 19:06:16 2002
@@ -12,8 +12,7 @@
</div>
</td>
<td align="left" valign="top">
- <input name="max_rows:int" size="10" value="<dtml-var
- max_rows_ html_quote>">
+ <input name="max_rows:int" size="10" value="&dtml-max_rows_;">
</td>
</tr>
<tr>
@@ -23,8 +22,7 @@
</div>
</td>
<td align="left" valign="top">
- <input name="max_cache:int" size="10" value="<dtml-var
- max_cache_ html_quote>">
+ <input name="max_cache:int" size="10" value="&dtml-max_cache_;">
</td>
</tr>
<tr>
@@ -34,8 +32,7 @@
</div>
</td>
<td align="left" valign="top">
- <input name="cache_time:int" size="10" value="<dtml-var
- cache_time_ html_quote>">
+ <input name="cache_time:int" size="10" value="&dtml-cache_time_;">
</td>
</tr>
<dtml-if da_has_single_argument>
@@ -68,8 +65,7 @@
</div>
</td>
<td align="left" valign="top">
- <input name="class_name" size="30" value="<dtml-var
- class_name_ html_quote>">
+ <input name="class_name" size="30" value="&dtml-class_name_;">
</td>
</tr>
<tr>
@@ -105,8 +101,8 @@
<dtml-in manage_product_zclass_info mapping>
<dtml-with "_(v='%s/%s' % (product, id))">
<option value="&dtml-v;" &dtml-selected;>
- <dtml-var product> <dtml-var id>
- (<dtml-var meta_type>)</option>
+ &dtml-product; &dtml-id;
+ (&dtml-meta_type;)</option>
</dtml-with>
</dtml-in>
</select>
=== Zope/lib/python/Shared/DC/ZRDB/dtml/connectionAdd.dtml 1.2 => 1.2.230.1 ===
--- Zope/lib/python/Shared/DC/ZRDB/dtml/connectionAdd.dtml:1.2 Mon Jan 8 17:47:06 2001
+++ Zope/lib/python/Shared/DC/ZRDB/dtml/connectionAdd.dtml Wed Oct 23 19:06:16 2002
@@ -4,7 +4,7 @@
form_title='Add %s Connection' % database_type
)">
- <form action="manage_addZ<dtml-var database_type>Connection"
+ <form action="manage_addZ&dtml-database_type;Connection"
method="POST">
<table cellspacing="2">
<tr>
@@ -15,7 +15,7 @@
</td>
<td align="LEFT" valign="TOP">
<input type="TEXT" name="id" size="40"
- value="<dtml-var default_id html_quote>">
+ value="&dtml-default_id;">
</td>
</tr>
<tr>
@@ -26,7 +26,7 @@
</td>
<td align="LEFT" valign="TOP">
<input type="TEXT" name="title" size="40"
- value="<dtml-var default_title html_quote>">
+ value="&dtml-default_title;">
</td>
</tr>
<tr>
=== Zope/lib/python/Shared/DC/ZRDB/dtml/connectionEdit.dtml 1.2 => 1.2.230.1 ===
--- Zope/lib/python/Shared/DC/ZRDB/dtml/connectionEdit.dtml:1.2 Mon Jan 8 17:47:06 2001
+++ Zope/lib/python/Shared/DC/ZRDB/dtml/connectionEdit.dtml Wed Oct 23 19:06:16 2002
@@ -9,7 +9,7 @@
Id
</div>
</td>
- <td align="LEFT" valign="TOP"><dtml-var id></td>
+ <td align="LEFT" valign="TOP">&dtml-id;</td>
</tr>
<tr>
@@ -20,7 +20,7 @@
</td>
<td align="LEFT" valign="TOP">
<input type="TEXT" name="title" size="40"
- value="<dtml-var title html_quote>">
+ value="&dtml-title;">
</td>
</tr>
@@ -32,7 +32,7 @@
</td>
<td align="LEFT" valign="TOP">
<input type="TEXT" name="connection_string" size="40"
- value="<dtml-var connection_string html_quote>">
+ value="&dtml-connection_string;">
</td>
</tr>
<tr>
=== Zope/lib/python/Shared/DC/ZRDB/dtml/customDefaultReport.dtml 1.3 => 1.3.114.1 ===
--- Zope/lib/python/Shared/DC/ZRDB/dtml/customDefaultReport.dtml:1.3 Wed Oct 31 13:49:57 2001
+++ Zope/lib/python/Shared/DC/ZRDB/dtml/customDefaultReport.dtml Wed Oct 23 19:06:16 2002
@@ -3,9 +3,8 @@
<dtml-if previous-sequence>
- <a href="<dtml-var URL><dtml-var sequence-query
- >query_start=<dtml-var
- previous-sequence-start-number>">
+ <a href="&dtml-URL;<dtml-var sequence-query
+ >query_start=<dtml-var previous-sequence-start-number>">
(Previous <dtml-var previous-sequence-size> results)
</a>
@@ -25,9 +24,8 @@
<dtml-if next-sequence>
- <a href="<dtml-var URL><dtml-var sequence-query
- >query_start=<dtml-var
- next-sequence-start-number>">
+ <a href="&dtml-URL;<dtml-var sequence-query
+ >query_start=<dtml-var next-sequence-start-number>">
(Next <dtml-var next-sequence-size> results)
</a>
@@ -36,6 +34,6 @@
<dtml-else>
- There was no data matching this <dtml-var title_or_id> query.
+ There was no data matching this &dtml-title_or_id; query.
</dtml-in>
=== Zope/lib/python/Shared/DC/ZRDB/dtml/searchAdd.dtml 1.3 => 1.3.114.1 ===
--- Zope/lib/python/Shared/DC/ZRDB/dtml/searchAdd.dtml:1.3 Wed Oct 31 13:49:57 2001
+++ Zope/lib/python/Shared/DC/ZRDB/dtml/searchAdd.dtml Wed Oct 23 19:06:16 2002
@@ -33,7 +33,7 @@
<div class="form-element">
<select name="queries:list" size="4" multiple>
<dtml-in ZQueryIds>
- <option><dtml-var sequence-item></option>
+ <option>&dtml-sequence-item;</option>
</dtml-in>
</select>
</div>