On Thu, 2002-10-24 at 09:33, Toby Dickenson wrote: > > Removed most <dtml-var> to replace them with &dtml-foo;. > > This corrects a number of potential XSS holes > > I assume that the XSS holes are the old dtml-var tags which didnt have > html_quote? Yes. Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com