[Zope-Checkins] CVS: Zope/lib/python/App - ApplicationManager.py:1.81.6.3 Dialogs.py:1.8.6.1 Management.py:1.61.6.4

Tres Seaver tseaver at zope.com
Thu Jan 8 16:13:34 EST 2004


Update of /cvs-repository/Zope/lib/python/App
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/App

Modified Files:
      Tag: Zope-2_6-branch
	ApplicationManager.py Dialogs.py Management.py 
Log Message:


   - Browsers that do not escape html in query strings such as 
     Internet Explorer 5.5 could potentially send a script tag in a 
     query string to the ZSearch interface for cross-site scripting.
     See Collector #813 for other XSS-related rationale.


=== Zope/lib/python/App/ApplicationManager.py 1.81.6.2 => 1.81.6.3 ===
--- Zope/lib/python/App/ApplicationManager.py:1.81.6.2	Wed Nov 13 10:56:07 2002
+++ Zope/lib/python/App/ApplicationManager.py	Thu Jan  8 16:13:02 2004
@@ -27,6 +27,7 @@
 from version_txt import version_txt
 from cStringIO import StringIO
 from AccessControl import getSecurityManager
+from cgi import escape
 import zLOG
 
 try: import thread
@@ -330,7 +331,7 @@
             <head><meta HTTP-EQUIV=REFRESH CONTENT="5; URL=%s/manage_main">
             </head>
             <body>Zope is restarting</body></html>
-            """ % URL1
+            """ % escape(URL1)
             sys.exit(1)
 
     def manage_shutdown(self):


=== Zope/lib/python/App/Dialogs.py 1.8 => 1.8.6.1 ===
--- Zope/lib/python/App/Dialogs.py:1.8	Wed Aug 14 17:31:40 2002
+++ Zope/lib/python/App/Dialogs.py	Thu Jan  8 16:13:02 2004
@@ -39,11 +39,11 @@
 MessageDialog = HTML("""
 <HTML>
 <HEAD>
-<TITLE><dtml-var title></TITLE>
+<TITLE>&dtml-title;</TITLE>
 </HEAD>
 <BODY BGCOLOR="#FFFFFF">
-<FORM ACTION="<dtml-var action>" METHOD="GET" <dtml-if
- target>TARGET="<dtml-var target>"</dtml-if>>
+<FORM ACTION="&dtml-action;" METHOD="GET" <dtml-if
+ target>TARGET="&dtml-target;"</dtml-if>>
 <TABLE BORDER="0" WIDTH="100%" CELLPADDING="10">
 <TR>
   <TD VALIGN="TOP">


=== Zope/lib/python/App/Management.py 1.61.6.3 => 1.61.6.4 ===
--- Zope/lib/python/App/Management.py:1.61.6.3	Sat Oct 18 04:27:29 2003
+++ Zope/lib/python/App/Management.py	Thu Jan  8 16:13:03 2004
@@ -21,6 +21,7 @@
 from Dialogs import MessageDialog
 from Globals import DTMLFile, HTMLFile
 from AccessControl import getSecurityManager, Unauthorized
+from cgi import escape
 
 class Tabs(ExtensionClass.Base):
     """Mix-in provides management folder tab support."""
@@ -89,16 +90,16 @@
         script = REQUEST['BASEPATH1']
         linkpat = '<a href="%s/manage_workspace">%s</a>'
         out = []
-        url = linkpat % (script, '&nbsp;/')
+        url = linkpat % (escape(script, 1), '&nbsp;/')
         if not steps:
             return url
         last = steps.pop()
         for step in steps:
             script = '%s/%s' % (script, step)
-            out.append(linkpat % (script, unquote(step)))
+            out.append(linkpat % (escape(script, 1), escape(unquote(step))))
         script = '%s/%s' % (script, last)
         out.append('<a class="strong-link" href="%s/manage_workspace">%s</a>'%
-                   (script, unquote(last)))
+                   (escape(script, 1), escape(unquote(last))))
         return '%s%s' % (url, '/'.join(out))
 
     def tabs_path_info(self, script, path,




More information about the Zope-Checkins mailing list