[Zope-Checkins] CVS: Zope/lib/python/Shared/DC/ZRDB -
Aqueduct.py:1.58 Connection.py:1.39 Search.py:1.22
Tres Seaver
tseaver at zope.com
Thu Jan 15 17:44:40 EST 2004
Update of /cvs-repository/Zope/lib/python/Shared/DC/ZRDB
In directory cvs.zope.org:/tmp/cvs-serv19785/lib/python/Shared/DC/ZRDB
Modified Files:
Aqueduct.py Connection.py Search.py
Log Message:
- Merge CGI-escape templating changes from 2.6 / 2.7 audit work.
=== Zope/lib/python/Shared/DC/ZRDB/Aqueduct.py 1.57 => 1.58 ===
--- Zope/lib/python/Shared/DC/ZRDB/Aqueduct.py:1.57 Tue Nov 18 08:17:14 2003
+++ Zope/lib/python/Shared/DC/ZRDB/Aqueduct.py Thu Jan 15 17:44:08 2004
@@ -158,7 +158,7 @@
'<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">\n'
'<html lang="en"><head><title>%s Input Data</title></head>\n'
'<body bgcolor="#FFFFFF" link="#000099" vlink="#555555">\n%s\n'
- '<form action="<dtml-var URL2>/<dtml-var id>/%s" '
+ '<form action="&dtml-URL2;/&dtml-id;/%s" '
'method="get">\n'
'<h2>%s Input Data</h2>\n'
'Enter query parameters:<br>'
@@ -187,7 +187,7 @@
'<dtml-if HTTP_REFERER>\n'
' <input type="SUBMIT" name="SUBMIT" value="Cancel">\n'
' <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN"\n'
- ' VALUE="<dtml-var HTTP_REFERER>">\n'
+ ' VALUE="&dtml-HTTP_REFERER;">\n'
'</dtml-if>\n'
'</td></tr>\n</table>\n</form>\n</body>\n</html>\n'
)
@@ -197,7 +197,7 @@
'<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">\n'
'<html lang="en"><head><title>%s Input Data</title></head>\n'
'<body bgcolor="#FFFFFF" link="#000099" vlink="#555555">\n%s\n'
- '<form action="<dtml-var URL2>/<dtml-var id>/%s" '
+ '<form action="&dtml-URL2;/&dtml-id;/%s" '
'method="get">\n'
'<h2>%s Input Data</h2>\n'
'This query requires no input.<p>\n'
@@ -205,7 +205,7 @@
'<dtml-if HTTP_REFERER>\n'
' <input type="SUBMIT" name="SUBMIT" value="Cancel">\n'
' <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN"\n'
- ' VALUE="<dtml-var HTTP_REFERER>">\n'
+ ' VALUE="&dtml-HTTP_REFERER;">\n'
'</dtml-if>\n'
'</td></tr>\n</table>\n</form>\n</body>\n</html>\n'
% (id, tabs, action, id)
=== Zope/lib/python/Shared/DC/ZRDB/Connection.py 1.38 => 1.39 ===
--- Zope/lib/python/Shared/DC/ZRDB/Connection.py:1.38 Tue Nov 18 08:17:14 2003
+++ Zope/lib/python/Shared/DC/ZRDB/Connection.py Thu Jan 15 17:44:08 2004
@@ -25,6 +25,7 @@
from Results import Results
from sys import exc_info
from zLOG import LOG, ERROR
+from cgi import escape
import DocumentTemplate, RDB
from zExceptions import BadRequest
@@ -103,7 +104,7 @@
if REQUEST is not None:
return MessageDialog(
title='Edited',
- message='<strong>%s</strong> has been edited.' % self.id,
+ message='<strong>%s</strong> has been edited.' % escape(self.id),
action ='./manage_main',
)
=== Zope/lib/python/Shared/DC/ZRDB/Search.py 1.21 => 1.22 ===
--- Zope/lib/python/Shared/DC/ZRDB/Search.py:1.21 Tue Nov 18 08:17:14 2003
+++ Zope/lib/python/Shared/DC/ZRDB/Search.py Thu Jan 15 17:44:08 2004
@@ -18,6 +18,7 @@
from Globals import DTMLFile
from Aqueduct import custom_default_report, custom_default_zpt_report, nicify, Args
from string import join
+from cgi import escape
from AccessControl import getSecurityManager
addForm=DTMLFile('dtml/searchAdd', globals())
@@ -57,7 +58,7 @@
cannot be generated. Before creating a report
from this query, you must try out the query. To
try out the query, <a href="%s">click here</a>.
- """ % (q.title_and_id(), url))
+ """ % (escape(q.title_and_id()), escape(url, 1)))
if object_type == 'dtml_methods':
More information about the Zope-Checkins
mailing list