[Zope-Checkins] CVS: Zope/lib/python/AccessControl/dtml - access.dtml:1.5.64.1 acquiredEdit.dtml:1.3.200.1 addUser.dtml:1.5.148.1 editLocalRoles.dtml:1.4.166.1 editUser.dtml:1.6.148.1 listLocalRoles.dtml:1.5.136.1 mainUser.dtml:1.3.232.1 methodAccess.dtml:1.3.192.1 permissionEdit.dtml:1.3.200.1 roleEdit.dtml:1.2.232.1
Florent Guillaume
fg@nuxeo.com
Wed, 23 Oct 2002 19:06:42 -0400
Update of /cvs-repository/Zope/lib/python/AccessControl/dtml
In directory cvs.zope.org:/tmp/cvs-serv26857/lib/python/AccessControl/dtml
Modified Files:
Tag: efge-death-to-dtml-var-branch
access.dtml acquiredEdit.dtml addUser.dtml editLocalRoles.dtml
editUser.dtml listLocalRoles.dtml mainUser.dtml
methodAccess.dtml permissionEdit.dtml roleEdit.dtml
Log Message:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.
=== Zope/lib/python/AccessControl/dtml/access.dtml 1.5 => 1.5.64.1 ===
--- Zope/lib/python/AccessControl/dtml/access.dtml:1.5 Mon Mar 11 10:29:38 2002
+++ Zope/lib/python/AccessControl/dtml/access.dtml Wed Oct 23 19:06:11 2002
@@ -57,8 +57,7 @@
<dtml-in valid_roles>
<td align="left">
<div class="list-item">
- <a href="manage_roleForm?role_to_manage=<dtml-var
- sequence-item url_quote>"><dtml-var sequence-item></a>
+ <a href="manage_roleForm?role_to_manage=&dtml.url_quote-sequence-item;">&dtml-sequence-item;</a>
</div>
</td>
</dtml-in valid_roles>
@@ -73,19 +72,17 @@
<dtml-unless isTopLevelPrincipiaApplicationObject>
<td align="left" valign="top">
- <input type="checkbox" name="a<dtml-var sequence-index>" <dtml-var
- acquire> />
+ <input type="checkbox" name="a&dtml-sequence-index;" &dtml-acquire; />
</td>
</dtml-unless>
<td align="left" nowrap>
<div class="list-item">
- <a href="manage_permissionForm?permission_to_manage=<dtml-var
- name url_quote>"><dtml-var name></a>
+ <a href="manage_permissionForm?permission_to_manage=&dtml.url_quote-name;">&dtml-name;</a>
</div>
</td>
<dtml-in roles mapping>
<td align="center">
- <input type="checkbox" name="<dtml-var name>" <dtml-var checked> />
+ <input type="checkbox" name="&dtml-name;" &dtml-checked; />
</td>
</dtml-in>
</tr>
@@ -139,7 +136,7 @@
<div class="form-element">
<select name="roles:list">
<dtml-in userdefined_roles>
- <option value="&dtml-sequence-item;"><dtml-var sequence-item></option>
+ <option value="&dtml-sequence-item;">&dtml-sequence-item;</option>
</dtml-in userdefined_roles>
</select>
</div>
=== Zope/lib/python/AccessControl/dtml/acquiredEdit.dtml 1.3 => 1.3.200.1 ===
--- Zope/lib/python/AccessControl/dtml/acquiredEdit.dtml:1.3 Thu Feb 8 14:31:39 2001
+++ Zope/lib/python/AccessControl/dtml/acquiredEdit.dtml Wed Oct 23 19:06:11 2002
@@ -9,7 +9,7 @@
<form action="manage_acquiredPermissions" method="post">
<select name="permissions:list" multiple size="10">
<dtml-in permission_settings mapping>
- <option<dtml-if acquire> selected</dtml-if>><dtml-var name></option>
+ <option<dtml-if acquire> selected</dtml-if>>&dtml-name;</option>
</dtml-in>
</select>
<p>
=== Zope/lib/python/AccessControl/dtml/addUser.dtml 1.5 => 1.5.148.1 ===
--- Zope/lib/python/AccessControl/dtml/addUser.dtml:1.5 Tue Jul 3 21:37:34 2001
+++ Zope/lib/python/AccessControl/dtml/addUser.dtml Wed Oct 23 19:06:11 2002
@@ -76,8 +76,7 @@
<dtml-if expr="_vars['sequence-item'] != 'Authenticated'">
<dtml-if expr="_vars['sequence-item'] != 'Anonymous'">
<dtml-if expr="_vars['sequence-item'] != 'Shared'">
- <option value="<dtml-var sequence-item html_quote>"><dtml-var
- sequence-item>
+ <option value="&dtml-sequence-item;">&dtml-sequence-item;
</dtml-if>
</dtml-if>
</dtml-if>
=== Zope/lib/python/AccessControl/dtml/editLocalRoles.dtml 1.4 => 1.4.166.1 ===
--- Zope/lib/python/AccessControl/dtml/editLocalRoles.dtml:1.4 Wed May 30 10:50:24 2001
+++ Zope/lib/python/AccessControl/dtml/editLocalRoles.dtml Wed Oct 23 19:06:11 2002
@@ -25,18 +25,17 @@
</tr>
<tr>
<td align="left" valign="top">
- <div class="form-text"><dtml-var userid></div>
+ <div class="form-text">&dtml-userid;</div>
</td>
<td align="left" valign="top">
<div class="form-element">
- <input type="hidden" name="userid" value="<dtml-var userid html_quote>">
+ <input type="hidden" name="userid" value="&dtml-userid;">
<dtml-with "_(user_roles=get_local_roles_for_userid(userid))">
<select name="roles:list" size="5" multiple>
<dtml-in valid_roles><dtml-if
"_vars['sequence-item'] not in ('Anonymous', 'Shared', 'Authenticated')">
-<option value="<dtml-var sequence-item html_quote>"<dtml-if
-"_['sequence-item'] in user_roles"> selected</dtml-if>><dtml-var
-sequence-item>
+<option value="&dtml-sequence-item;"<dtml-if
+"_['sequence-item'] in user_roles"> selected</dtml-if>>&dtml-sequence-item;
</dtml-if>
</dtml-in>
</select>
=== Zope/lib/python/AccessControl/dtml/editUser.dtml 1.6 => 1.6.148.1 ===
--- Zope/lib/python/AccessControl/dtml/editUser.dtml:1.6 Tue Jul 3 21:37:34 2001
+++ Zope/lib/python/AccessControl/dtml/editUser.dtml Wed Oct 23 19:06:11 2002
@@ -16,16 +16,14 @@
</TD>
<TD VALIGN="TOP">
<div class="form-text">
-<dtml-var expr="user.name">
+<dtml-var expr="user.name" html_quote>
</div>
</TD>
</TR>
<TR><TD COLSPAN=2> </TD></TR>
<dtml-if remote_user_mode__>
- <INPUT TYPE="HIDDEN" NAME="password" value="<dtml-var
- password html_quote>" />
- <INPUT TYPE="HIDDEN" NAME="confirm" value="<dtml-var
- password html_quote>" />
+ <INPUT TYPE="HIDDEN" NAME="password" value="&dtml-password;" />
+ <INPUT TYPE="HIDDEN" NAME="confirm" value="&dtml-password;" />
<dtml-else>
<TR>
<TD VALIGN="TOP">
@@ -56,7 +54,7 @@
</TD>
<TD VALIGN="TOP">
<INPUT TYPE="TEXT" NAME="domains:tokens" SIZE="30"
- VALUE="<dtml-if expr="user.domains"><dtml-in expr="user.domains"><dtml-var sequence-item html_quote> </dtml-in></dtml-if>" />
+ VALUE="<dtml-if expr="user.domains"><dtml-in expr="user.domains">&dtml-sequence-item; </dtml-in></dtml-if>" />
</TD>
</TR>
@@ -74,10 +72,9 @@
<dtml-if expr="_vars['sequence-item'] != 'Anonymous'">
<dtml-if expr="_vars['sequence-item'] != 'Shared'">
<dtml-if expr="_vars['sequence-item'] in user.roles">
-<OPTION VALUE="<dtml-var sequence-item html_quote>" selected><dtml-var
- sequence-item>
+<OPTION VALUE="&dtml-sequence-item;" selected>&dtml-sequence-item;
<dtml-else>
-<OPTION VALUE="<dtml-var sequence-item html_quote>"><dtml-var sequence-item>
+<OPTION VALUE="&dtml-sequence-item;">&dtml-sequence-item;
</dtml-if>
</dtml-if>
</dtml-if>
@@ -85,8 +82,7 @@
</dtml-in valid_roles>
</SELECT>
-<INPUT TYPE="HIDDEN" NAME="name" VALUE="<dtml-var
- expr="user.name" html_quote>" />
+<INPUT TYPE="HIDDEN" NAME="name" VALUE="<dtml-var expr="user.name" html_quote>" />
<br /><br />
<INPUT class="form-element" TYPE="SUBMIT" NAME="submit" VALUE="Change" />
</div>
=== Zope/lib/python/AccessControl/dtml/listLocalRoles.dtml 1.5 => 1.5.136.1 ===
--- Zope/lib/python/AccessControl/dtml/listLocalRoles.dtml:1.5 Tue Oct 2 12:16:24 2001
+++ Zope/lib/python/AccessControl/dtml/listLocalRoles.dtml Wed Oct 23 19:06:11 2002
@@ -4,7 +4,7 @@
</dtml-with>
<dtml-if stat>
<hr>
-<font color="red"><dtml-var stat></font>
+<font color="red">&dtml-stat;</font>
<hr>
</dtml-if>
@@ -25,14 +25,12 @@
<dtml-in get_local_roles>
<tr>
<td align="left" valign="top">
- <input type="checkbox" name="userids:list" value="<dtml-var
- sequence-key html_quote>" />
+ <input type="checkbox" name="userids:list" value="&dtml-sequence-key;" />
</td>
<td align="left" valign="top">
<div class="form-text">
- <a href="manage_editLocalRoles?userid=<dtml-var sequence-key
- fmt="url-quote">"><dtml-var sequence-key></a> (<dtml-in
- sequence-item><dtml-var sequence-item><dtml-unless
+ <a href="manage_editLocalRoles?userid=&dtml.url_quote-sequence-key;">&dtml-sequence-key;</a> (<dtml-in
+ sequence-item>&dtml-sequence-item;<dtml-unless
sequence-end>, </dtml-unless></dtml-in>)
</div>
</td>
@@ -77,8 +75,7 @@
<dtml-try>
<select name="userid" size="5">
<dtml-in get_valid_userids>
- <option value="<dtml-var sequence-item html_quote>"><dtml-var
- sequence-item></option>
+ <option value="&dtml-sequence-item;">&dtml-sequence-item;</option>
</dtml-in>
</select>
<dtml-except OverflowError>
@@ -93,8 +90,7 @@
<select name="roles:list" size="5" multiple>
<dtml-in valid_roles><dtml-if
"_vars['sequence-item'] not in ('Anonymous', 'Shared', 'Authenticated')">
-<option value="<dtml-var sequence-item html_quote>"><dtml-var
- sequence-item></option>
+<option value="&dtml-sequence-item;">&dtml-sequence-item;</option>
</dtml-if>
</dtml-in>
</select>
=== Zope/lib/python/AccessControl/dtml/mainUser.dtml 1.3 => 1.3.232.1 ===
--- Zope/lib/python/AccessControl/dtml/mainUser.dtml:1.3 Fri Jan 12 14:25:23 2001
+++ Zope/lib/python/AccessControl/dtml/mainUser.dtml Wed Oct 23 19:06:11 2002
@@ -16,16 +16,13 @@
<tr class="row-hilite">
</dtml-if>
<td align="left" valign="top">
- <input type="checkbox" name="names:list" value="<dtml-var
- sequence-item html_quote>" />
+ <input type="checkbox" name="names:list" value="&dtml-sequence-item;" />
</td>
<td align="left" valign="top">
<div class="list-item">
- <a href="manage_users?name=<dtml-var
- sequence-item fmt=url-quote>&submit=Edit"><img src="<dtml-var
- BASEPATH1>/p_/User_icon" alt="" border="0" /></a>
- <a href="manage_users?name=<dtml-var sequence-item
- fmt=url-quote>&submit=Edit"><dtml-var sequence-item></a>
+ <a href="manage_users?name=&dtml.url_quote-sequence-item;&submit=Edit"><img src="&dtml-BASEPATH1;/p_/User_icon"
+ alt="" border="0" /></a>
+ <a href="manage_users?name=&dtml.url_quote-sequence-item;&submit=Edit">&dtml-sequence-item;</a>
</div>
</td>
</tr>
=== Zope/lib/python/AccessControl/dtml/methodAccess.dtml 1.3 => 1.3.192.1 ===
--- Zope/lib/python/AccessControl/dtml/methodAccess.dtml:1.3 Fri Apr 13 10:14:03 2001
+++ Zope/lib/python/AccessControl/dtml/methodAccess.dtml Wed Oct 23 19:06:11 2002
@@ -47,19 +47,18 @@
</dtml-if>
<td align="left" valign="top">
<div class="form-text">
- <dtml-var permission_name>
+ &dtml-permission_name;
</div>
</td>
<td align="left" valign="top">
<div class="form-element">
- <input type="hidden" name="permission_names:list" value="<dtml-var
- permission_name html_quote>" />
+ <input type="hidden" name="permission_names:list" value="&dtml-permission_name;" />
<select name="class_permissions:list">
<option value=""<dtml-unless
class_permission> selected</dtml-unless>>(disabled)</option>
<dtml-in valid>
<option<dtml-if "_['sequence-item']==class_permission"
- > selected</dtml-if>><dtml-var sequence-item></option>
+ > selected</dtml-if>>&dtml-sequence-item;</option>
</dtml-in>
</select>
</div>
=== Zope/lib/python/AccessControl/dtml/permissionEdit.dtml 1.3 => 1.3.200.1 ===
--- Zope/lib/python/AccessControl/dtml/permissionEdit.dtml:1.3 Thu Feb 8 14:31:39 2001
+++ Zope/lib/python/AccessControl/dtml/permissionEdit.dtml Wed Oct 23 19:06:11 2002
@@ -3,18 +3,16 @@
<dtml-if manage_tabs><dtml-var manage_tabs></dtml-if manage_tabs>
</dtml-with>
<p class="form-text">
-Roles assigned to the permission <strong><dtml-var
-permission_to_manage></strong>
+Roles assigned to the permission <strong>&dtml-permission_to_manage;</strong>
</p>
<form action="manage_permission" method="post">
<p>
-<input type="hidden" name="permission_to_manage" value="<dtml-var
- permission_to_manage html_quote>" />
+<input type="hidden" name="permission_to_manage" value="&dtml-permission_to_manage;" />
<div class="form-element">
<select name="roles:list" multiple size="10">
<dtml-in expr="rolesOfPermission(permission_to_manage)" mapping=1>
- <option <dtml-var selected>><dtml-var name></option>
+ <option &dtml-selected;>&dtml-name;</option>
</dtml-in>
</select>
</div>
@@ -23,8 +21,7 @@
<dtml-unless isTopLevelPrincipiaApplicationObject>
<p>
<div class="form-text">
-<input type="checkbox" name="acquire" <dtml-var
-expr="acquiredRolesAreUsedBy(permission_to_manage)">>
+<input type="checkbox" name="acquire" <dtml-var expr="acquiredRolesAreUsedBy(permission_to_manage)">>
Also use roles acquired from folders containing this object
</p>
</dtml-unless>
=== Zope/lib/python/AccessControl/dtml/roleEdit.dtml 1.2 => 1.2.232.1 ===
--- Zope/lib/python/AccessControl/dtml/roleEdit.dtml:1.2 Mon Jan 8 17:46:56 2001
+++ Zope/lib/python/AccessControl/dtml/roleEdit.dtml Wed Oct 23 19:06:11 2002
@@ -2,17 +2,16 @@
<dtml-if manage_tabs><dtml-var manage_tabs></dtml-if manage_tabs>
<p class="form-text">
-Permissions assigned to the role <strong><dtml-var role_to_manage></strong>
+Permissions assigned to the role <strong>&dtml-role_to_manage;</strong>
</p>
<form action="manage_role" method="post">
<p>
-<input type=hidden name=role_to_manage value="<dtml-var
- role_to_manage html_quote>">
+<input type=hidden name=role_to_manage value="&dtml-role_to_manage;">
<div class="form-element">
<select name="permissions:list" multiple size="10">
<dtml-in expr="permissionsOfRole(role_to_manage)" mapping=1>
- <option <dtml-var selected>><dtml-var name></option>
+ <option &dtml-selected;>&dtml-name;</option>
</dtml-in>
</select>
</div>