[Zope-Checkins] CVS: Zope/lib/python/ZClasses/dtml - contents.dtml:1.2.212.1

Florent Guillaume fg@nuxeo.com
Sun, 22 Dec 2002 11:16:19 -0500


Update of /cvs-repository/Zope/lib/python/ZClasses/dtml
In directory cvs.zope.org:/tmp/cvs-serv2325/lib/python/ZClasses/dtml

Modified Files:
      Tag: Zope-2_6-branch
	contents.dtml 
Log Message:
Fixed insufficient quoting in a number of DTML files when displaying
the title. This closes some actual and potential XSS holes. (Collector #595)


=== Zope/lib/python/ZClasses/dtml/contents.dtml 1.2 => 1.2.212.1 ===
--- Zope/lib/python/ZClasses/dtml/contents.dtml:1.2	Mon Jan  8 17:47:07 2001
+++ Zope/lib/python/ZClasses/dtml/contents.dtml	Sun Dec 22 11:16:18 2002
@@ -28,7 +28,7 @@
     <dtml-var "_['sequence-key'][10:]"> 
   <dtml-else ><dtml-var sequence-key> 
   </dtml-if>
-  <dtml-if title>(<dtml-var title>)</dtml-if>
+  <dtml-if title>(&dtml-title;)</dtml-if>
   </A>
   <dtml-if locked_in_version>
     <dtml-if modified_in_version>
@@ -63,7 +63,7 @@
 <TABLE BORDER="0" CELLSPACING="0" CELLPADDING="2">
 <TR>
 <TD>
-There are currently no items in <EM><dtml-var title_or_id></EM>
+There are currently no items in <EM>&dtml-title_or_id;</EM>
 <P>
 <dtml-if cb_dataValid>
 <INPUT TYPE="SUBMIT" NAME="manage_pasteObjects:method" VALUE="Paste">