[Zope-Checkins] CVS: Zope/lib/python/AccessControl -
Role.py:1.55.6.2
Tres Seaver
tseaver at zope.com
Thu Jan 8 16:13:33 EST 2004
Update of /cvs-repository/Zope/lib/python/AccessControl
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/AccessControl
Modified Files:
Tag: Zope-2_6-branch
Role.py
Log Message:
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
See Collector #813 for other XSS-related rationale.
=== Zope/lib/python/AccessControl/Role.py 1.55.6.1 => 1.55.6.2 ===
--- Zope/lib/python/AccessControl/Role.py:1.55.6.1 Sat Jan 18 21:03:59 2003
+++ Zope/lib/python/AccessControl/Role.py Thu Jan 8 16:13:01 2004
@@ -210,7 +210,7 @@
if fails:
return MessageDialog(title="Warning!",
message="Some permissions had errors: "
- + ', '.join(fails),
+ + escape(', '.join(fails)),
action='manage_access')
return MessageDialog(
title ='Success!',
More information about the Zope-Checkins
mailing list