[Zope-Checkins] CVS: Zope/lib/python/Products/PluginIndexes/TextIndex/dtml - addTextIndex.dtml:1.4.26.1 manageTextIndex.dtml:1.3.26.1 manage_vocab.dtml:1.5.28.1

Florent Guillaume fg@nuxeo.com
Wed, 23 Oct 2002 19:06:44 -0400


Update of /cvs-repository/Zope/lib/python/Products/PluginIndexes/TextIndex/dtml
In directory cvs.zope.org:/tmp/cvs-serv26857/lib/python/Products/PluginIndexes/TextIndex/dtml

Modified Files:
      Tag: efge-death-to-dtml-var-branch
	addTextIndex.dtml manageTextIndex.dtml manage_vocab.dtml 
Log Message:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.


=== Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/addTextIndex.dtml 1.4 => 1.4.26.1 ===
--- Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/addTextIndex.dtml:1.4	Tue Jun 11 16:20:11 2002
+++ Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/addTextIndex.dtml	Wed Oct 23 19:06:13 2002
@@ -45,7 +45,7 @@
         <select name="extra.vocabulary:record">  
           <dtml-in expr="superValues('Vocabulary')">
             <option value="&dtml-id;">
-              &dtml-id; <dtml-var title fmt="(%s)" null>
+              &dtml-id; <dtml-var title fmt="(%s)" null html_quote>
             </option>
           </dtml-in>
         </select>


=== Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manageTextIndex.dtml 1.3 => 1.3.26.1 ===
--- Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manageTextIndex.dtml:1.3	Tue Jun 11 16:20:11 2002
+++ Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manageTextIndex.dtml	Wed Oct 23 19:06:13 2002
@@ -15,11 +15,11 @@
       <dtml-in "superValues('Vocabulary')">
         <dtml-if "getId()==vocabulary_id">
           <option value="&dtml-id;" selected>
-            &dtml-id; <dtml-var title fmt="(%s)" null>
+            &dtml-id; <dtml-var title fmt="(%s)" null html_quote>
           </option> 
         <dtml-else>
           <option value="&dtml-id;">
-            &dtml-id; <dtml-var title fmt="(%s)" null>
+            &dtml-id; <dtml-var title fmt="(%s)" null html_quote>
           </option> 
         </dtml-if>
       </dtml-in>


=== Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manage_vocab.dtml 1.5 => 1.5.28.1 ===
--- Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manage_vocab.dtml:1.5	Mon May 20 14:55:44 2002
+++ Zope/lib/python/Products/PluginIndexes/TextIndex/dtml/manage_vocab.dtml	Wed Oct 23 19:06:13 2002
@@ -15,7 +15,7 @@
     </dtml-try>
 
     <dtml-if useSplitter>
-     , Splitter is <em><dtml-var useSplitter></em>   
+     , Splitter is <em>&dtml-useSplitter;</em>   
     </dtml-if>
 
     <dtml-try>
@@ -34,21 +34,20 @@
 <dtml-if words>
 
 <p class="form-text">
-<dtml-var id> contains <em><dtml-var 
- words fmt=collection-length thousands_commas></em>
+&dtml-id; contains <em><dtml-var words fmt=collection-length thousands_commas></em>
  word(s).
 </p>
 
 <dtml-in words previous size=20 start=query_start >
   <span class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
     [Previous <dtml-var previous-sequence-size> entries]
   </a>
   </span>
 </dtml-in>
 <dtml-in words next size=20 start=query_start >
   <span class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
     [Next <dtml-var next-sequence-size> entries]
   </a>
   </span>
@@ -71,7 +70,7 @@
       <dtml-if "_.same_type(_['sequence-key'], 'x')">
         &dtml-sequence-key;
       <dtml-else>
-        <dtml-var "_['sequence-key'].encode('utf-8')"> 
+        <dtml-var "_['sequence-key'].encode('utf-8')" html_quote>
       </dtml-if>
       </div>
     </td>
@@ -84,7 +83,7 @@
 
 <dtml-in words previous size=20 start=query_start >
   <div class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
     [Previous <dtml-var previous-sequence-size> entries]
   </a>
   </div>
@@ -92,7 +91,7 @@
 
 <dtml-in words next size=20 start=query_start >
   <div class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
     [Next <dtml-var next-sequence-size> entries]
   </a>
   </div>