[Zope-Checkins] CVS: Zope/lib/python/App/dtml - cpContents.dtml:1.4.8.1 debug.dtml:1.5.124.1 distributionView.dtml:1.2.214.1 manage_page_header.dtml:1.11.32.1

Florent Guillaume fg@nuxeo.com
Sun, 22 Dec 2002 11:16:45 -0500


Update of /cvs-repository/Zope/lib/python/App/dtml
In directory cvs.zope.org:/tmp/cvs-serv2325/lib/python/App/dtml

Modified Files:
      Tag: Zope-2_6-branch
	cpContents.dtml debug.dtml distributionView.dtml 
	manage_page_header.dtml 
Log Message:
Fixed insufficient quoting in a number of DTML files when displaying
the title. This closes some actual and potential XSS holes. (Collector #595)


=== Zope/lib/python/App/dtml/cpContents.dtml 1.4 => 1.4.8.1 ===
--- Zope/lib/python/App/dtml/cpContents.dtml:1.4	Tue Jul  9 11:14:51 2002
+++ Zope/lib/python/App/dtml/cpContents.dtml	Sun Dec 22 11:16:14 2002
@@ -144,7 +144,7 @@
   <td align="left" valign="top">
   <div class="list-item">
   <a href="<dtml-var sequence-key url_quote>/manage_workspace">
-  <dtml-var title> 
+  &dtml-title;
   </a>
   <dtml-if locked_in_version>
     <dtml-if modified_in_version>


=== Zope/lib/python/App/dtml/debug.dtml 1.5 => 1.5.124.1 ===
--- Zope/lib/python/App/dtml/debug.dtml:1.5	Wed Sep 19 21:43:03 2001
+++ Zope/lib/python/App/dtml/debug.dtml	Sun Dec 22 11:16:14 2002
@@ -1,7 +1,7 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
 <html>
 <head>
-<title><dtml-if title><dtml-var title></dtml-if></title>
+<title><dtml-if title>&dtml-title;</dtml-if></title>
 <link rel="stylesheet" type="text/css" href="<dtml-var BASEPATH1>/manage_page_style.css">
 <dtml-if debug_auto_reload>
 <meta HTTP-EQUIV="Refresh"


=== Zope/lib/python/App/dtml/distributionView.dtml 1.2 => 1.2.214.1 ===
--- Zope/lib/python/App/dtml/distributionView.dtml:1.2	Mon Jan  8 17:46:57 2001
+++ Zope/lib/python/App/dtml/distributionView.dtml	Sun Dec 22 11:16:14 2002
@@ -43,7 +43,7 @@
   <dtml-in objectItems>
   <option value="<dtml-var sequence-key html_quote>" <dtml-
    if "_['sequence-key'] in configurable_objects_"
-   >SELECTED</dtml-if>><dtml-var title_and_id></option>
+   >SELECTED</dtml-if>>&dtml-title_and_id;</option>
   </dtml-in>
   </select>
   </td>


=== Zope/lib/python/App/dtml/manage_page_header.dtml 1.11 => 1.11.32.1 ===
--- Zope/lib/python/App/dtml/manage_page_header.dtml:1.11	Wed Mar 27 05:14:00 2002
+++ Zope/lib/python/App/dtml/manage_page_header.dtml	Sun Dec 22 11:16:14 2002
@@ -6,7 +6,7 @@
 </dtml-unless>
 <meta http-equiv="content-type" content="text/html;charset=<dtml-var management_page_charset>">
 <dtml-call "RESPONSE.setHeader('content-type','text/html;charset='+management_page_charset)">
-<title><dtml-if title><dtml-var title></dtml-if></title>
+<title><dtml-if title>&dtml-title;</dtml-if></title>
 <dtml-let ag="REQUEST.get('HTTP_USER_AGENT', '')"
      is_nav4="ag[:9] == 'Mozilla/4' and _.string.find(ag, 'MSIE') < 0"
      use_css="REQUEST.get('zmi_use_css', '1')"