[Zope-Checkins] CVS: Zope/lib/python/ZTUtils - SimpleTree.py:1.3.6.2
Tres Seaver
tseaver at zope.com
Thu Jan 8 16:13:14 EST 2004
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/ZTUtils
Modified Files:
Tag: Zope-2_6-branch
SimpleTree.py
Log Message:
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
See Collector #813 for other XSS-related rationale.
=== Zope/lib/python/ZTUtils/SimpleTree.py 1.3.6.1 => 1.3.6.2 ===
--- Zope/lib/python/ZTUtils/SimpleTree.py:1.3.6.1 Thu Oct 3 17:09:14 2002
+++ Zope/lib/python/ZTUtils/SimpleTree.py Thu Jan 8 16:13:14 2004
@@ -16,6 +16,7 @@
__version__='$Revision$'[11:-2]
from Tree import TreeMaker, TreeNode, b2a
+from cgi import escape
class SimpleTreeNode(TreeNode):
def branch(self):
@@ -35,9 +36,10 @@
obid = self.id
pre = self.aq_acquire('tree_pre')
- return {'link': '?%s-setstate=%s,%s,%s#%s' % (pre, setst[0],
- exnum, obid, obid),
- 'img': '<img src="%s/p_/%s" alt="%s" border="0">' % (base, img, setst)}
+ return {'link': '?%s-setstate=%s,%s,%s#%s' % \
+ (pre, setst[0], exnum, obid, obid),
+ 'img': '<img src="%s/p_/%s" alt="%s" border="0">' % \
+ (escape(base, 1), img, setst)}
class SimpleTreeMaker(TreeMaker):
More information about the Zope-Checkins
mailing list