[Zope-Checkins] CVS: Zope/lib/python/HelpSys/dtml - APIHelpView.dtml:1.4.118.1 APIView.dtml:1.3.196.1 attributeView.dtml:1.2.228.1 button.dtml:1.2.228.1 frame.dtml:1.2.228.1 helpsys_main.dtml:1.2.228.1 menu.dtml:1.3.80.1 menu_header.dtml:1.2.228.1 methodView.dtml:1.2.228.1 objectitem.dtml:1.2.228.1 results.dtml:1.2.228.1 topic_header.dtml:1.2.228.1

Florent Guillaume fg@nuxeo.com
Wed, 23 Oct 2002 19:06:43 -0400


Update of /cvs-repository/Zope/lib/python/HelpSys/dtml
In directory cvs.zope.org:/tmp/cvs-serv26857/lib/python/HelpSys/dtml

Modified Files:
      Tag: efge-death-to-dtml-var-branch
	APIHelpView.dtml APIView.dtml attributeView.dtml button.dtml 
	frame.dtml helpsys_main.dtml menu.dtml menu_header.dtml 
	methodView.dtml objectitem.dtml results.dtml topic_header.dtml 
Log Message:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.


=== Zope/lib/python/HelpSys/dtml/APIHelpView.dtml 1.4 => 1.4.118.1 ===
--- Zope/lib/python/HelpSys/dtml/APIHelpView.dtml:1.4	Tue Oct 16 20:08:46 2001
+++ Zope/lib/python/HelpSys/dtml/APIHelpView.dtml	Wed Oct 23 19:06:12 2002
@@ -7,7 +7,7 @@
 <dl><dd>
 <h2 class="api">
 <dtml-in apis>
-<a href="#<dtml-var name>"><dtml-var name></a>
+<a href="#&dtml.url_quote-name;">&dtml-name;</a>
 <dtml-unless sequence-end> , </dtml-unless>
 </dtml-in>
 </h2>
@@ -19,7 +19,7 @@
 <dl><dd>
 <h2 class="api">
 <dtml-in funcs>
-<a href="#<dtml-var name>"><dtml-var name></a>
+<a href="#&dtml.url_quote-name;">&dtml-name;</a>
 <dtml-unless sequence-end> , </dtml-unless>
 </dtml-in>
 </h2>


=== Zope/lib/python/HelpSys/dtml/APIView.dtml 1.3 => 1.3.196.1 ===
--- Zope/lib/python/HelpSys/dtml/APIView.dtml:1.3	Mon Feb 19 15:17:28 2001
+++ Zope/lib/python/HelpSys/dtml/APIView.dtml	Wed Oct 23 19:06:12 2002
@@ -1,9 +1,8 @@
-<a name="<dtml-var name>"></a>
+<a name="&dtml-name;"></a>
 <h2 class="api">class
-  <dtml-var name><dtml-if extends>
+  &dtml-name;<dtml-if extends>
 (<dtml-in extends>
-<a href="/Control_Panel/Products/<dtml-var sequence-item>"><dtml-var
-sequence-key></a><dtml-unless sequence-end>, </dtml-unless>
+<a href="/Control_Panel/Products/&dtml-sequence-item;">&dtml-sequence-key;</a><dtml-unless sequence-end>, </dtml-unless>
 </dtml-in>)
 </dtml-if>
 </h2>


=== Zope/lib/python/HelpSys/dtml/attributeView.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/HelpSys/dtml/attributeView.dtml:1.2	Mon Jan  8 17:46:58 2001
+++ Zope/lib/python/HelpSys/dtml/attributeView.dtml	Wed Oct 23 19:06:12 2002
@@ -1,3 +1,3 @@
 <a name="&dtml-name;"></a>
-<h2 class="attribute"><dtml-var name> = <dtml-var value>
+<h2 class="attribute">&dtml-name; = &dtml-value;
 </h2>


=== Zope/lib/python/HelpSys/dtml/button.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/HelpSys/dtml/button.dtml:1.2	Mon Jan  8 17:46:58 2001
+++ Zope/lib/python/HelpSys/dtml/button.dtml	Wed Oct 23 19:06:12 2002
@@ -9,9 +9,9 @@
 //-->
 </SCRIPT>
 <font face="Verdana, Arial, Helvetica" size="1">
-<FORM ACTION="<dtml-var absolute_url>" METHOD="get" target="zope_help" 
- onSubmit="return openHelpWindow('<dtml-var absolute_url>?help_url=<dtml-var helpURL>');">
-<input type="hidden" name="help_url" value="<dtml-var helpURL>">
+<FORM ACTION="&dtml-absolute_url;" METHOD="get" target="zope_help" 
+ onSubmit="return openHelpWindow('&dtml-absolute_url;?help_url=&dtml.url_quote_plus-helpURL;');">
+<input type="hidden" name="help_url" value="&dtml-helpURL;">
 <input type="submit" name="submit" value=" Help ">
 </FORM>
 </font>


=== Zope/lib/python/HelpSys/dtml/frame.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/HelpSys/dtml/frame.dtml:1.2	Mon Jan  8 17:46:58 2001
+++ Zope/lib/python/HelpSys/dtml/frame.dtml	Wed Oct 23 19:06:12 2002
@@ -7,7 +7,7 @@
 MARGINWIDTH="2" MARGINHEIGHT="2" SCROLLING="auto">
 <FRAME
 <dtml-if "_.has_key('help_url')">
-SRC="<dtml-var help_url>"
+SRC="&dtml.url_quote-help_url;"
 <dtml-else>
 SRC="main"
 </dtml-if>


=== Zope/lib/python/HelpSys/dtml/helpsys_main.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/HelpSys/dtml/helpsys_main.dtml:1.2	Mon Jan  8 17:46:58 2001
+++ Zope/lib/python/HelpSys/dtml/helpsys_main.dtml	Wed Oct 23 19:06:12 2002
@@ -36,7 +36,7 @@
 and Folders. Other references will be added soon.
 </p>
 <ul>
-<li> <a href="<dtml-var BASE1>/HelpSys/ObjectRef/hs_main">
+<li> <a href="&dtml-BASE1;/HelpSys/ObjectRef/hs_main">
      Object Reference
      </a>
 


=== Zope/lib/python/HelpSys/dtml/menu.dtml 1.3 => 1.3.80.1 ===
--- Zope/lib/python/HelpSys/dtml/menu.dtml:1.3	Thu Feb 28 08:28:39 2002
+++ Zope/lib/python/HelpSys/dtml/menu.dtml	Wed Oct 23 19:06:12 2002
@@ -4,9 +4,9 @@
 
 <dtml-tree sort=id>
 <dtml-if "meta_type =='Help Topic'">
-  <a href="<dtml-var absolute_url>" target="help_main"><dtml-var title_or_id></a>
+  <a href="&dtml-absolute_url;" target="help_main">&dtml-title_or_id;</a>
 <dtml-else>
-  <dtml-var title>
+  &dtml-title;
 </dtml-if>
 </dtml-tree>
 


=== Zope/lib/python/HelpSys/dtml/menu_header.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/HelpSys/dtml/menu_header.dtml:1.2	Mon Jan  8 17:46:58 2001
+++ Zope/lib/python/HelpSys/dtml/menu_header.dtml	Wed Oct 23 19:06:12 2002
@@ -1,5 +1,5 @@
 <html>
 <head>
-  <title><dtml-var title></title>
+  <title>&dtml-title;</title>
 </head>
 <body bgcolor="#FFFFFF">


=== Zope/lib/python/HelpSys/dtml/methodView.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/HelpSys/dtml/methodView.dtml:1.2	Mon Jan  8 17:46:58 2001
+++ Zope/lib/python/HelpSys/dtml/methodView.dtml	Wed Oct 23 19:06:12 2002
@@ -1,14 +1,14 @@
 <a name="&dtml-name;"></a>
-<h2 class="method"><dtml-var name>(<dtml-in required><dtml-var sequence-item><dtml-if sequence-end>
+<h2 class="method">&dtml-name;(<dtml-in required>&dtml-sequence-item;<dtml-if sequence-end>
 <dtml-if optional>, </dtml-if>
 <dtml-else>,
 </dtml-if>
 </dtml-in>
 <dtml-in optional>
-<dtml-var sequence-key>=<dtml-var sequence-item><dtml-unless sequence-end>, </dtml-unless>
+&dtml-sequence-key;=&dtml-sequence-item;<dtml-unless sequence-end>, </dtml-unless>
 </dtml-in>
-<dtml-if varargs>, *<dtml-var varargs></dtml-if>
-<dtml-if kwargs>, **<dtml-var kwargs></dtml-if>):
+<dtml-if varargs>, *&dtml-varargs;</dtml-if>
+<dtml-if kwargs>, **&dtml-kwargs;</dtml-if>):
 </h2>
 
 <dl><dd>


=== Zope/lib/python/HelpSys/dtml/objectitem.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/HelpSys/dtml/objectitem.dtml:1.2	Mon Jan  8 17:46:58 2001
+++ Zope/lib/python/HelpSys/dtml/objectitem.dtml	Wed Oct 23 19:06:12 2002
@@ -13,14 +13,14 @@
 
 
 
-<h3><dtml-if icon><img src="&dtml-BASEPATH1;/<dtml-var icon>" height="16" width="16" alt=""></dtml-if> <dtml-var meta_type></h3>
+<h3><dtml-if icon><img src="&dtml-BASEPATH1;/&dtml-icon;" height="16" width="16" alt=""></dtml-if> &dtml-meta_type;</h3>
 
 <code>
 <dtml-var get_docstring_html>
 </code>
 
 
-<h3><dtml-var meta_type> methods</h3>
+<h3>&dtml-meta_type; methods</h3>
 
 <dtml-call "REQUEST.set('cached_method_list', get_method_list())">
 <dtml-call "REQUEST.set('row_max', _.len(cached_method_list)/2)">
@@ -33,14 +33,14 @@
 <td align="left" valign="top">
 <code>
 <dtml-in "cached_method_list[:row_max]">
-<a href="#<dtml-var get_name>"><dtml-var get_name></a><br>
+<a href="#&dtml.url_quote-get_name;">&dtml-get_name;</a><br>
 </dtml-in>
 </code>
 </td>
 <td align="left" valign="top">
 <code>
 <dtml-in "cached_method_list[row_max:]">
-<a href="#<dtml-var get_name>"><dtml-var get_name></a><br>
+<a href="#&dtml.url_quote-get_name;">&dtml-get_name;</a><br>
 </dtml-in>
 </code>
 </td>
@@ -51,13 +51,13 @@
 <dl>
 <dtml-in cached_method_list>
 <dt><code>
-    <a name="<dtml-var get_name>">
-    <strong><dtml-var get_signature></strong>
+    <a name="&dtml-get_name;">
+    <strong>&dtml-get_signature;</strong>
     </code>
 </dt>
 <dd><code>
 <dtml-if permission>
-    <strong>Permission:</strong> <dtml-var permission><br><br>
+    <strong>Permission:</strong> &dtml-permission;<br><br>
 </dtml-if>
 
 <dtml-if get_docstring_html>


=== Zope/lib/python/HelpSys/dtml/results.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/HelpSys/dtml/results.dtml:1.2	Mon Jan  8 17:46:58 2001
+++ Zope/lib/python/HelpSys/dtml/results.dtml	Wed Oct 23 19:06:12 2002
@@ -3,7 +3,7 @@
 <dtml-call "REQUEST.set('management_view', 'Search')">
 <dtml-var manage_tabs>
 
-<p>Help topics matching <b><dtml-var SearchableText></b>:</p>
+<p>Help topics matching <b>&dtml-SearchableText;</b>:</p>
 <p>
 <dtml-in "searchResults(REQUEST)">
 <a href="&dtml-BASEPATH1;&dtml-url;" target="help_main">&dtml-title_or_id;</a><br>


=== Zope/lib/python/HelpSys/dtml/topic_header.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/HelpSys/dtml/topic_header.dtml:1.2	Mon Jan  8 17:46:58 2001
+++ Zope/lib/python/HelpSys/dtml/topic_header.dtml	Wed Oct 23 19:06:12 2002
@@ -1,6 +1,6 @@
 <html>
 <head>
-<title><dtml-var title></title>
+<title>&dtml-title;</title>
 
 <style type="text/css">