[Zope-Checkins] CVS: Zope/lib/python/OFS - Application.py:1.188.4.4 CopySupport.py:1.82.6.2 PropertyManager.py:1.46.6.8

Tres Seaver tseaver at zope.com
Thu Jan 8 16:13:36 EST 2004 

Update of /cvs-repository/Zope/lib/python/OFS
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/OFS

Modified Files:
      Tag: Zope-2_6-branch
	Application.py CopySupport.py PropertyManager.py 
Log Message:


   - Browsers that do not escape html in query strings such as 
     Internet Explorer 5.5 could potentially send a script tag in a 
     query string to the ZSearch interface for cross-site scripting.
     See Collector #813 for other XSS-related rationale.


=== Zope/lib/python/OFS/Application.py 1.188.4.3 => 1.188.4.4 ===
--- Zope/lib/python/OFS/Application.py:1.188.4.3	Tue Jun 24 09:44:11 2003
+++ Zope/lib/python/OFS/Application.py	Thu Jan  8 16:13:05 2004
@@ -22,6 +22,7 @@
 from App.ApplicationManager import ApplicationManager
 from webdav.NullResource import NullResource
 from FindSupport import FindSupport
+from cgi import escape
 from urllib import quote
 from StringIO import StringIO
 from AccessControl.PermissionRole import PermissionRole
@@ -117,8 +118,8 @@
         """Returns an HTML fragment that displays the 'powered by zope'
         button along with a link to the Zope site."""
         return '<a href="http://www.zope.org/Credits" target="_top"><img ' \
-               'src="%s/p_/ZopeButton" width="115" height="50" ' \
-               'border="0" alt="Powered by Zope" /></a>' % self.REQUEST.BASE1
+               'src="%s/p_/ZopeButton" width="115" height="50" border="0" ' \
+               'alt="Powered by Zope" /></a>' % escape(self.REQUEST.BASE1, 1)
 
 
     def DELETE(self, REQUEST, RESPONSE):


=== Zope/lib/python/OFS/CopySupport.py 1.82.6.1 => 1.82.6.2 ===
--- Zope/lib/python/OFS/CopySupport.py:1.82.6.1	Wed Dec 18 07:08:25 2002
+++ Zope/lib/python/OFS/CopySupport.py	Thu Jan  8 16:13:05 2004
@@ -22,6 +22,7 @@
 from Acquisition import aq_base, aq_inner, aq_parent
 from zExceptions import Unauthorized
 from AccessControl import getSecurityManager
+from cgi import escape
 
 CopyError='Copy Error'
 
@@ -66,7 +67,7 @@
         for id in ids:
             ob=self._getOb(id)
             if not ob.cb_isMoveable():
-                raise CopyError, eNotSupported % id
+                raise CopyError, eNotSupported % escape(id)
             m=Moniker.Moniker(ob)
             oblist.append(m.dump())
         cp=(1, oblist)
@@ -91,7 +92,7 @@
         for id in ids:
             ob=self._getOb(id)
             if not ob.cb_isCopyable():
-                raise CopyError, eNotSupported % id
+                raise CopyError, eNotSupported % escape(id)
             m=Moniker.Moniker(ob)
             oblist.append(m.dump())
         cp=(0, oblist)
@@ -150,7 +151,7 @@
             # Copy operation
             for ob in oblist:
                 if not ob.cb_isCopyable():
-                    raise CopyError, eNotSupported % ob.getId()
+                    raise CopyError, eNotSupported % escape(ob.getId())
                 try:    ob._notifyOfCopyTo(self, op=0)
                 except: raise CopyError, MessageDialog(
                     title='Copy Error',
@@ -174,7 +175,7 @@
             for ob in oblist:
                 id=ob.getId()
                 if not ob.cb_isMoveable():
-                    raise CopyError, eNotSupported % id
+                    raise CopyError, eNotSupported % escape(id)
                 try:    ob._notifyOfCopyTo(self, op=1)
                 except: raise CopyError, MessageDialog(
                     title='Move Error',
@@ -232,7 +233,7 @@
                       action ='manage_main')
         ob=self._getOb(id)
         if not ob.cb_isMoveable():
-            raise CopyError, eNotSupported % id
+            raise CopyError, eNotSupported % escape(id)
         self._verifyObjectPaste(ob)
         try:    ob._notifyOfCopyTo(self, op=1)
         except: raise CopyError, MessageDialog(
@@ -259,7 +260,7 @@
     def manage_clone(self, ob, id, REQUEST=None):
         # Clone an object, creating a new object with the given id.
         if not ob.cb_isCopyable():
-            raise CopyError, eNotSupported % ob.getId()
+            raise CopyError, eNotSupported % escape(ob.getId())
         try: self._checkId(id)
         except: raise CopyError, MessageDialog(
                       title='Invalid Id',
@@ -497,11 +498,11 @@
 fMessageDialog=Globals.HTML("""
 <HTML>
 <HEAD>
-<TITLE><dtml-var title></TITLE>
+<TITLE>&dtml-title;</TITLE>
 </HEAD>
 <BODY BGCOLOR="#FFFFFF">
-<FORM ACTION="<dtml-var action>" METHOD="GET" <dtml-if
- target>TARGET="<dtml-var target>"</dtml-if>>
+<FORM ACTION="&dtml-action;" METHOD="GET" <dtml-if
+ target>TARGET="&dtml-target;"</dtml-if>>
 <TABLE BORDER="0" WIDTH="100%%" CELLPADDING="10">
 <TR>
   <TD VALIGN="TOP">


=== Zope/lib/python/OFS/PropertyManager.py 1.46.6.7 => 1.46.6.8 ===
--- Zope/lib/python/OFS/PropertyManager.py:1.46.6.7	Thu Jan  8 15:32:21 2004
+++ Zope/lib/python/OFS/PropertyManager.py	Thu Jan  8 16:13:05 2004
@@ -335,7 +335,7 @@
             if (not 'd' in propdict[id].get('mode', 'wd')) or (id in nd):
                 return MessageDialog(
                 title  ='Cannot delete %s' % id,
-                message='The property <em>%s</em> cannot be deleted.' % id,
+                message='The property <em>%s</em> cannot be deleted.' % escape(id),
                 action ='manage_propertiesForm')
             self._delProperty(id)

More information about the Zope-Checkins mailing list