[Zope-Checkins] CVS: Zope/lib/python/Products/ZGadflyDA/dtml - connectionAdd.dtml:1.2.228.1 connectionEdit.dtml:1.2.228.1 table_info.dtml:1.2.228.1 table_menu.dtml:1.2.228.1 tables.dtml:1.2.228.1

Florent Guillaume fg@nuxeo.com
Wed, 23 Oct 2002 19:06:46 -0400


Update of /cvs-repository/Zope/lib/python/Products/ZGadflyDA/dtml
In directory cvs.zope.org:/tmp/cvs-serv26857/lib/python/Products/ZGadflyDA/dtml

Modified Files:
      Tag: efge-death-to-dtml-var-branch
	connectionAdd.dtml connectionEdit.dtml table_info.dtml 
	table_menu.dtml tables.dtml 
Log Message:
Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.


=== Zope/lib/python/Products/ZGadflyDA/dtml/connectionAdd.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/Products/ZGadflyDA/dtml/connectionAdd.dtml:1.2	Mon Jan  8 17:47:04 2001
+++ Zope/lib/python/Products/ZGadflyDA/dtml/connectionAdd.dtml	Wed Oct 23 19:06:15 2002
@@ -6,7 +6,7 @@
 
 <dtml-if data_sources>
     
-<form action="manage_addZ<dtml-var database_type>Connection" method="post">
+<form action="manage_addZ&dtml-database_type;Connection" method="post">
 <table cellspacing="0" cellpadding="2" border="0">
   <tr>
     <td align="left" valign="top">
@@ -46,9 +46,7 @@
     <div class="form-element">
     <select name="connection" size="5">
     <dtml-in data_sources>
-    <option value="<dtml-var sequence-key html_quote>"><dtml-var 
-     sequence-key><dtml-if sequence-item>, <dtml-var 
-     sequence-item></dtml-if></option>
+    <option value="&dtml-sequence-key;">&dtml-sequence-key;<dtml-if sequence-item>, &dtml-sequence-item;</dtml-if></option>
     </dtml-in>
     </select>
     </div>
@@ -80,8 +78,8 @@
 <dtml-else>
 
 <p class="form-help">
-Sorry, you cannot create any Zope <dtml-var database_type> Database 
-Connections because no <dtml-var database_type> databases exist, or 
+Sorry, you cannot create any Zope &dtml-database_type; Database 
+Connections because no &dtml-database_type; databases exist, or 
 all of the existing databases are in use. 
 </p>
 </dtml-if>


=== Zope/lib/python/Products/ZGadflyDA/dtml/connectionEdit.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/Products/ZGadflyDA/dtml/connectionEdit.dtml:1.2	Mon Jan  8 17:47:04 2001
+++ Zope/lib/python/Products/ZGadflyDA/dtml/connectionEdit.dtml	Wed Oct 23 19:06:15 2002
@@ -11,7 +11,7 @@
     </td>
     <td align="left" valign="top">
     <div class="form-text">
-    <dtml-var id>
+    &dtml-id;
     </div>
     </td>
   </tr>
@@ -23,7 +23,7 @@
     </td>
     <td align="left" valign="top">
     <input type="text" name="title" size="40" 
-     value="<dtml-var title html_quote>" />
+     value="&dtml-title;" />
     </td>
   </tr>
   <tr>
@@ -43,10 +43,8 @@
     <div class="form-element">
     <select name="connection_string" size="5">
     <dtml-in data_sources>
-    <option value="<dtml-var sequence-key html_quote>"<dtml-if 
-     "_['sequence-key']==connection_string"> selected</dtml-if>><dtml-var 
-     sequence-key><dtml-if sequence-item>, <dtml-var 
-     sequence-item></dtml-if></option>
+    <option value="&dtml-sequence-key;"<dtml-if 
+     "_['sequence-key']==connection_string"> selected</dtml-if>>&dtml-sequence-key;<dtml-if sequence-item>, &dtml-sequence-item;</dtml-if></option>
     </dtml-in>
     </select>
     </div>


=== Zope/lib/python/Products/ZGadflyDA/dtml/table_info.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/Products/ZGadflyDA/dtml/table_info.dtml:1.2	Mon Jan  8 17:47:04 2001
+++ Zope/lib/python/Products/ZGadflyDA/dtml/table_info.dtml	Wed Oct 23 19:06:15 2002
@@ -1,7 +1,7 @@
 <dtml-var standard_html_header>
 
-<dtml-var TABLE_TYPE><dtml-if TABLE_OWNER>
-owned by <dtml-var TABLE_OWNER></dtml-if>
-<dtml-if REMARKS><br><dtml-var REMARKS></dtml-if>
+&dtml-TABLE_TYPE;<dtml-if TABLE_OWNER>
+owned by &dtml-TABLE_OWNER;</dtml-if>
+<dtml-if REMARKS><br>&dtml-REMARKS;</dtml-if>
 
 <dtml-var standard_html_footer>


=== Zope/lib/python/Products/ZGadflyDA/dtml/table_menu.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/Products/ZGadflyDA/dtml/table_menu.dtml:1.2	Mon Jan  8 17:47:04 2001
+++ Zope/lib/python/Products/ZGadflyDA/dtml/table_menu.dtml	Wed Oct 23 19:06:15 2002
@@ -1,5 +1,5 @@
 <dtml-var standard_html_header>
-<a href="tableNamed/<dtml-var Name>/manage_designInput">Design Input *</a>
-<a href="tableNamed/<dtml-var Name>/manage_designUpdate">Design Update *</a>
-<a href="tableNamed/<dtml-var Name>/manage_designDelete">Design Delete</a>
+<a href="tableNamed/&dtml.url_quote-Name;/manage_designInput">Design Input *</a>
+<a href="tableNamed/&dtml.url_quote-Name;/manage_designUpdate">Design Update *</a>
+<a href="tableNamed/&dtml.url_quote-Name;/manage_designDelete">Design Delete</a>
 <dtml-var standard_html_footer>


=== Zope/lib/python/Products/ZGadflyDA/dtml/tables.dtml 1.2 => 1.2.228.1 ===
--- Zope/lib/python/Products/ZGadflyDA/dtml/tables.dtml:1.2	Mon Jan  8 17:47:04 2001
+++ Zope/lib/python/Products/ZGadflyDA/dtml/tables.dtml	Wed Oct 23 19:06:15 2002
@@ -1,10 +1,10 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
 <html lang="en">
-  <head><title><dtml-var title_or_id> tables</title></head>
+  <head><title>&dtml-title_or_id; tables</title></head>
   <body bgcolor="#FFFFFF" link="#000099" vlink="#555555" alink="#77003B">
     <dtml-var manage_tabs>
     
-    <h2><dtml-var title_or_id> tables</h2>
+    <h2>&dtml-title_or_id; tables</h2>
     
     <form action="manage_wizard" method="POST">
       <table cellspacing="2">
@@ -14,8 +14,8 @@
 	  <td align="LEFT" valign="TOP">
              <select name="tables:list" size=9 multiple>
                <dtml-in table_info>
-                 <option value="<dtml-var sequence-key html_quote>">
-                   <dtml-var sequence-key> <dtml-var sequence-item>
+                 <option value="&dtml-sequence-key;">
+                   &dtml-sequence-key; &dtml-sequence-item;
                  </option>
                </dtml-in>
              </select>