[Zope-Checkins] CVS: Zope/lib/python/OFS/dtml -
findResult.dtml:1.3.6.1
Tres Seaver
tseaver at zope.com
Thu Jan 8 16:13:37 EST 2004
Update of /cvs-repository/Zope/lib/python/OFS/dtml
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/OFS/dtml
Modified Files:
Tag: Zope-2_6-branch
findResult.dtml
Log Message:
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
See Collector #813 for other XSS-related rationale.
=== Zope/lib/python/OFS/dtml/findResult.dtml 1.3 => 1.3.6.1 ===
--- Zope/lib/python/OFS/dtml/findResult.dtml:1.3 Thu Aug 1 15:09:28 2002
+++ Zope/lib/python/OFS/dtml/findResult.dtml Thu Jan 8 16:13:06 2004
@@ -60,13 +60,13 @@
<td width="50%">
<div class="list-item">
<dtml-in name="results" previous size="batch_size" start="query_start">
- <strong> <a href="<dtml-var name="URL"><dtml-var name="sequence-query">query_start=<dtml-var name="previous-sequence-start-number">">< Previous</a></strong>
+ <strong> <a href="&dtml-URL;&dtml-sequence-query;query_start=&dtml-previous-sequence-start-number;">< Previous</a></strong>
<dtml-else> </dtml-in></div>
</td>
<td align="right" width="50%">
<div class="list-item">
<dtml-in name="results" next size=batch_size start=query_start>
- <strong><a href="<dtml-var URL><dtml-var sequence-query>query_start=<dtml-var next-sequence-start-number>">Next ></a></strong>
+ <strong><a href="&dtml-URL;&dtml-sequence-query;query_start=&dtml-next-sequence-start-number;">Next ></a></strong>
<dtml-else> </dtml-in></div>
</td>
</tr>
More information about the Zope-Checkins
mailing list