[Zope-Checkins] CVS: Zope/lib/python/Products/ExternalMethod/dtml - methodEdit.dtml:1.4.2.1

Florent Guillaume fg@nuxeo.com
Wed, 23 Oct 2002 19:06:43 -0400


Update of /cvs-repository/Zope/lib/python/Products/ExternalMethod/dtml
In directory cvs.zope.org:/tmp/cvs-serv26857/lib/python/Products/ExternalMethod/dtml

Modified Files:
      Tag: efge-death-to-dtml-var-branch
	methodEdit.dtml 
Log Message:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.


=== Zope/lib/python/Products/ExternalMethod/dtml/methodEdit.dtml 1.4 => 1.4.2.1 ===
--- Zope/lib/python/Products/ExternalMethod/dtml/methodEdit.dtml:1.4	Thu Oct 17 15:49:35 2002
+++ Zope/lib/python/Products/ExternalMethod/dtml/methodEdit.dtml	Wed Oct 23 19:06:12 2002
@@ -10,7 +10,7 @@
     </div>
     </td>
     <td align="left" valign="top">
-     <dtml-var name="id" html_quote>
+     &dtml-id;
     </td>
   </tr>
   <tr>
@@ -21,7 +21,7 @@
     </td>
     <td align="left" valign="top">
     <input type="text" name="title" size="40"
-     value="<dtml-var title html_quote>" />
+     value="&dtml-title;" />
     </td>
   </tr>
   <tr>
@@ -32,7 +32,7 @@
     </td>
     <td align="left" valign="top">
     <input type="text" name="module" size="40"
-     value="<dtml-var module html_quote>" />
+     value="&dtml-module;" />
     </td>
   </tr>
   <tr>
@@ -43,7 +43,7 @@
     </td>
     <td align="left" valign="top">
     <input type="text" name="function" size="40"
-     value="<dtml-var function html_quote>" />
+     value="&dtml-function;" />
     </td>
   </tr>
   <tr>