[Zope-Checkins] CVS: Zope/lib/python/Products/PluginIndexes/TopicIndex/dtml - editFilteredSet.dtml:1.2.80.1 manageTopicIndex.dtml:1.3.8.1

Florent Guillaume fg@nuxeo.com
Wed, 23 Oct 2002 19:06:44 -0400 

Update of /cvs-repository/Zope/lib/python/Products/PluginIndexes/TopicIndex/dtml
In directory cvs.zope.org:/tmp/cvs-serv26857/lib/python/Products/PluginIndexes/TopicIndex/dtml

Modified Files:
      Tag: efge-death-to-dtml-var-branch
	editFilteredSet.dtml manageTopicIndex.dtml 
Log Message:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.


=== Zope/lib/python/Products/PluginIndexes/TopicIndex/dtml/editFilteredSet.dtml 1.2 => 1.2.80.1 ===
--- Zope/lib/python/Products/PluginIndexes/TopicIndex/dtml/editFilteredSet.dtml:1.2	Thu Feb 28 10:31:41 2002
+++ Zope/lib/python/Products/PluginIndexes/TopicIndex/dtml/editFilteredSet.dtml	Wed Oct 23 19:06:13 2002
@@ -5,7 +5,7 @@
 <dtml-with "filteredSets[filteredSet]">
 
 <form action="manage_saveFilteredSet" method="post" enctype="multipart/form-data">
-<input type="hidden" name="filterId" value="<dtml-var getId url_quote>" >
+<input type="hidden" name="filterId" value="&dtml-getId;" >
 
 <table cellspacing="0" cellpadding="2" border="1" width="90%" align="center">
 
@@ -17,19 +17,19 @@
   <tr>
     <th>FilteredSet Id</th>
     <td> 
-      <dtml-var getId>
+      &dtml-getId;
     </td>
   </tr>
 
   <tr>
     <th>FilteredSet Type</th>
-    <td><dtml-var getType></td>
+    <td>&dtml-getType;</td>
   </tr>
 
   <tr>
     <th>FilteredSet Expression</th>
     <td>
-     <textarea name="expr" cols="60" rows="5"><dtml-var getExpression></textarea>
+     <textarea name="expr" cols="60" rows="5">&dtml-getExpression;</textarea>
     </td>
   </tr>
 


=== Zope/lib/python/Products/PluginIndexes/TopicIndex/dtml/manageTopicIndex.dtml 1.3 => 1.3.8.1 ===
--- Zope/lib/python/Products/PluginIndexes/TopicIndex/dtml/manageTopicIndex.dtml:1.3	Thu Sep 12 07:26:30 2002
+++ Zope/lib/python/Products/PluginIndexes/TopicIndex/dtml/manageTopicIndex.dtml	Wed Oct 23 19:06:13 2002
@@ -27,24 +27,24 @@
       <tr>
 
         <td align="center"> 
-        <input type="checkbox" name="filterIds:list" value="<dtml-var "fs.getId()">"> 
+        <input type="checkbox" name="filterIds:list" value="<dtml-var "fs.getId()" html_quote>">
         </td>
 
         <td align="center" valign="top">
         <div class="form-label">
-         <a href="editFilteredSet?filteredSet=&dtml-id;"><dtml-var getId> </a>
+         <a href="editFilteredSet?filteredSet=&dtml-id;">&dtml-getId; </a>
         </div>
         </td>
 
         <td align="center" valign="top">
         <div class="form-label">
-         <dtml-var getType> 
+         &dtml-getType;
         </div>
         </td>
 
         <td align="left" valign="top">
         <div class="form-label">
-         <dtml-var getExpression> 
+         &dtml-getExpression;
         </div>
         </td>