[Zope-Checkins] CVS: Zope/lib/python/Products/PythonScripts/www - pyScriptProxy.dtml:1.2.228.1
Florent Guillaume
fg@nuxeo.com
Wed, 23 Oct 2002 19:06:44 -0400
Update of /cvs-repository/Zope/lib/python/Products/PythonScripts/www
In directory cvs.zope.org:/tmp/cvs-serv26857/lib/python/Products/PythonScripts/www
Modified Files:
Tag: efge-death-to-dtml-var-branch
pyScriptProxy.dtml
Log Message:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.
=== Zope/lib/python/Products/PythonScripts/www/pyScriptProxy.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/Products/PythonScripts/www/pyScriptProxy.dtml:1.2 Mon Jan 8 17:47:02 2001
+++ Zope/lib/python/Products/PythonScripts/www/pyScriptProxy.dtml Wed Oct 23 19:06:14 2002
@@ -24,7 +24,7 @@
<dtml-if expr="_vars['sequence-item'] != 'Shared'">
<option <dtml-if
expr="manage_haveProxy(_vars['sequence-item'])">selected</dtml-if
- >><dtml-var sequence-item></option>
+ >>&dtml-sequence-item;</option>
</dtml-if>
</dtml-in valid_roles>
</select>