[Zope-Checkins] CVS: Zope/lib/python/Products/SiteAccess - AccessRule.py:1.4.6.2 SiteRoot.py:1.6.6.1

Thu Jan 8 16:13:39 EST 2004

Update of /cvs-repository/Zope/lib/python/Products/SiteAccess
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/Products/SiteAccess

Modified Files:
      Tag: Zope-2_6-branch
	AccessRule.py SiteRoot.py 
Log Message:


   - Browsers that do not escape html in query strings such as 
     Internet Explorer 5.5 could potentially send a script tag in a 
     query string to the ZSearch interface for cross-site scripting.
     See Collector #813 for other XSS-related rationale.


=== Zope/lib/python/Products/SiteAccess/AccessRule.py 1.4.6.1 => 1.4.6.2 ===

--- Zope/lib/python/Products/SiteAccess/AccessRule.py:1.4.6.1	Fri Jan 24 11:53:48 2003
+++ Zope/lib/python/Products/SiteAccess/AccessRule.py	Thu Jan  8 16:13:08 2004
@@ -8,6 +8,7 @@
  registerBeforeTraverse, unregisterBeforeTraverse, queryBeforeTraverse, \
  NameCaller
 import os
+from cgi import escape
 
 SUPPRESS_ACCESSRULE = os.environ.has_key('SUPPRESS_ACCESSRULE')
 
@@ -60,12 +61,13 @@
         if REQUEST:
             return MessageDialog(title='Access Rule Set',
               message='"%s" is now the Access Rule for this object'
-                      % method_id,
+                      % escape(method_id),
               action='%s/manage_main' % REQUEST['URL1'])
     else:
         if REQUEST:
             return MessageDialog(title='Invalid Method Id',
-              message='"%s" is not the Id of a method of this object' % method_id,
+              message='"%s" is not the Id of a method of this object'
+                      % escape(method_id),
               action='%s/manage_main' % REQUEST['URL1'])
 
 def getAccessRule(self, REQUEST=None):


=== Zope/lib/python/Products/SiteAccess/SiteRoot.py 1.6 => 1.6.6.1 ===
--- Zope/lib/python/Products/SiteAccess/SiteRoot.py:1.6	Wed Aug 14 18:25:10 2002
+++ Zope/lib/python/Products/SiteAccess/SiteRoot.py	Thu Jan  8 16:13:08 2004
@@ -9,6 +9,7 @@
 from ExtensionClass import Base
 from ZPublisher import BeforeTraverse
 import os
+from cgi import escape
 
 from AccessRule import _swallow
 
@@ -38,7 +39,7 @@
         self.addToContainer(container)
         if nextURL:
             return MessageDialog(title='Item Added',
-              message='This object now has a %s' % self.meta_type,
+              message='This object now has a %s' % escape(self.meta_type),
               action=nextURL)
 
     def manage_beforeDelete(self, item, container):
@@ -60,7 +61,7 @@
         if id != self.id:
             raise Globals.MessageDialog(
                 title='Invalid Id',
-                message='Cannot change the id of a %s' % self.meta_type,
+                message='Cannot change the id of a %s' % escape(self.meta_type),
                 action ='./manage_main',)
 
 class SiteRoot(Traverser, Implicit):
@@ -99,7 +100,7 @@
             return MessageDialog(title='SiteRoot changed.',
               message='The title is now "%s"<br>'
                       'The base is now "%s"<br>'
-                      'The path is now "%s"<br>' % (title, base, path),
+                      'The path is now "%s"<br>' % map(escape, (title, base, path)),
               action='%s/manage_main' % REQUEST['URL1'])
 
     def __call__(self, client, request, response=None):


