[Zope-Checkins] CVS: Zope/lib/python/Products/ZCatalog/dtml - catalogView.dtml:1.6.10.2 manage_vocab.dtml:1.3.186.1

Tres Seaver tseaver at zope.com
Thu Jan 8 16:13:41 EST 2004 

Update of /cvs-repository/Zope/lib/python/Products/ZCatalog/dtml
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/Products/ZCatalog/dtml

Modified Files:
      Tag: Zope-2_6-branch
	catalogView.dtml manage_vocab.dtml 
Log Message:


   - Browsers that do not escape html in query strings such as 
     Internet Explorer 5.5 could potentially send a script tag in a 
     query string to the ZSearch interface for cross-site scripting.
     See Collector #813 for other XSS-related rationale.


=== Zope/lib/python/Products/ZCatalog/dtml/catalogView.dtml 1.6.10.1 => 1.6.10.2 ===
--- Zope/lib/python/Products/ZCatalog/dtml/catalogView.dtml:1.6.10.1	Mon Dec 16 13:34:43 2002
+++ Zope/lib/python/Products/ZCatalog/dtml/catalogView.dtml	Thu Jan  8 16:13:10 2004
@@ -36,12 +36,12 @@
 </p>
   <div class="form-text">
   <dtml-in searchResults previous size=20 start=query_start >
-    <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+    <a href="&dtml-URL;?query_start=&dtml-previous-sequence-start-number;">
       [Previous <dtml-var previous-sequence-size> entries]
     </a>
   </dtml-in>
   <dtml-in searchResults next size=20 start=query_start >
-    <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+    <a href="&dtml-URL;?query_start=&dtml-next-sequence-start-number;">
       [Next <dtml-var next-sequence-size> entries]
     </a>
   </dtml-in>


=== Zope/lib/python/Products/ZCatalog/dtml/manage_vocab.dtml 1.3 => 1.3.186.1 ===
--- Zope/lib/python/Products/ZCatalog/dtml/manage_vocab.dtml:1.3	Fri Jan 26 14:00:13 2001
+++ Zope/lib/python/Products/ZCatalog/dtml/manage_vocab.dtml	Thu Jan  8 16:13:10 2004
@@ -11,14 +11,14 @@
 
 <dtml-in words previous size=20 start=query_start >
   <span class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=&dtml-previous-sequence-start-number;">
     [Previous <dtml-var previous-sequence-size> entries]
   </a>
   </span>
 </dtml-in>
 <dtml-in words next size=20 start=query_start >
   <span class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=&dtml-next-sequence-start-number;">
     [Next <dtml-var next-sequence-size> entries]
   </a>
   </span>
@@ -48,7 +48,7 @@
 
 <dtml-in words previous size=20 start=query_start >
   <div class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=&dtml-previous-sequence-start-number;">
     [Previous <dtml-var previous-sequence-size> entries]
   </a>
   </div>
@@ -56,7 +56,7 @@
 
 <dtml-in words next size=20 start=query_start >
   <div class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL?query_start=&dtml-next-sequence-start-number;">
     [Next <dtml-var next-sequence-size> entries]
   </a>
   </div>

More information about the Zope-Checkins mailing list