[Zope-Checkins] CVS: Zope/doc - CHANGES.txt:1.511

[Martijn Pieters]

Update of /cvs-repository/Zope/doc
In directory cvs.zope.org:/tmp/cvs-serv9325/doc

Modified Files:
	CHANGES.txt 
Log Message:
Big change

- Make DTML automatically html quote data indirectly taken from REQUEST
  which contain a '<'. Make sure (almost) all string operation preserve the
  taint on this data.

- Fix exceptions that use REQUEST data; quote the data.

- Don't let form and cookie values mask the REQUEST computed values such as
  URL0 and BASE1.


=== Zope/doc/CHANGES.txt 1.510 => 1.511 ===
 
       - FileLibrary and GuestBook example applications gave anonymous
         users the Manager proxy role when uploading files - a potential 
-	vulnerability on production servers.
+        vulnerability on production servers.
+
+      - Exceptions that use untrusted information from a REQUEST object in
+        the exception message now html-quote that information.
 
     Features Added
+
+      - <dtml-var name> and &dtml.-name; will now automatically HTML-quote
+        unsafe data taken implictly from the REQUEST object. Data taken
+        explicitly from the REQUEST object is not affected, as well as any
+        other data not originating from REQUEST.
     
       - ZCatalog index management ui is now integrated into ZCatalog rather
         than being a subobject managment screen with different tabs.