[Zope-Checkins] CVS: Zope/lib/python/Shared/DC/ZRDB/dtml -
customDefaultReport.dtml:1.3.98.2
Tres Seaver
tseaver at zope.com
Thu Jan 8 16:13:44 EST 2004
Update of /cvs-repository/Zope/lib/python/Shared/DC/ZRDB/dtml
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/Shared/DC/ZRDB/dtml
Modified Files:
Tag: Zope-2_6-branch
customDefaultReport.dtml
Log Message:
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
See Collector #813 for other XSS-related rationale.
=== Zope/lib/python/Shared/DC/ZRDB/dtml/customDefaultReport.dtml 1.3.98.1 => 1.3.98.2 ===
--- Zope/lib/python/Shared/DC/ZRDB/dtml/customDefaultReport.dtml:1.3.98.1 Sun Dec 22 11:16:18 2002
+++ Zope/lib/python/Shared/DC/ZRDB/dtml/customDefaultReport.dtml Thu Jan 8 16:13:13 2004
@@ -3,9 +3,7 @@
<dtml-if previous-sequence>
- <a href="<dtml-var URL><dtml-var sequence-query
- >query_start=<dtml-var
- previous-sequence-start-number>">
+ <a href="&dtml-URL;&dtml-sequence-query;query_start=&dtml-previous-sequence-start-number;">
(Previous <dtml-var previous-sequence-size> results)
</a>
@@ -25,9 +23,7 @@
<dtml-if next-sequence>
- <a href="<dtml-var URL><dtml-var sequence-query
- >query_start=<dtml-var
- next-sequence-start-number>">
+ <a href="&dtml-URL;&dtml-sequence-query;query_start=&dtml-next-sequence-start-number;">
(Next <dtml-var next-sequence-size> results)
</a>
More information about the Zope-Checkins
mailing list