[Zope] combining form variables and URL values
Jamie Heilman
jamie@audible.transient.net
Tue, 10 Jun 2003 15:14:28 -0700
Dylan Reinhardt wrote:
>
> <dtml-if form_submitted>
> <dtml-var "my_report_maker(REQUEST)">
> <dtml-else>
> <form method=post action=my_report>
> <input type=hidden name=form_submitted value=1>
> <input type=hidden name=UID value=<dtml-var UID>>
> <input type=hidden name=skin value=<dtml-var skin>>
Those last two lines should read:
<input type="hidden" name="UID" value="&dtml-UID;" />
<input type="hidden" name="skin" value="&dtml-skin;" />
When giving examples, I find it best to refrain from introducting
blatant cross site scripting holes.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
I liked you better when you weren't saying squat kid." -Buddy