[Zope-Checkins] CVS: Zope/lib/python/OFS/dtml - findResult.dtml:1.3.6.1

Tres Seaver tseaver at zope.com
Thu Jan 8 16:13:37 EST 2004


Update of /cvs-repository/Zope/lib/python/OFS/dtml
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/OFS/dtml

Modified Files:
      Tag: Zope-2_6-branch
	findResult.dtml 
Log Message:


   - Browsers that do not escape html in query strings such as 
     Internet Explorer 5.5 could potentially send a script tag in a 
     query string to the ZSearch interface for cross-site scripting.
     See Collector #813 for other XSS-related rationale.


=== Zope/lib/python/OFS/dtml/findResult.dtml 1.3 => 1.3.6.1 ===
--- Zope/lib/python/OFS/dtml/findResult.dtml:1.3	Thu Aug  1 15:09:28 2002
+++ Zope/lib/python/OFS/dtml/findResult.dtml	Thu Jan  8 16:13:06 2004
@@ -60,13 +60,13 @@
 <td width="50%">
  <div class="list-item">
  <dtml-in name="results" previous size="batch_size" start="query_start">
- <strong> <a href="<dtml-var name="URL"><dtml-var name="sequence-query">query_start=<dtml-var name="previous-sequence-start-number">">&lt; Previous</a></strong>
+ <strong> <a href="&dtml-URL;&dtml-sequence-query;query_start=&dtml-previous-sequence-start-number;">&lt; Previous</a></strong>
  <dtml-else>&nbsp;</dtml-in></div>
 </td>
 <td align="right" width="50%">
  <div class="list-item">
  <dtml-in name="results" next size=batch_size start=query_start>
- <strong><a href="<dtml-var URL><dtml-var sequence-query>query_start=<dtml-var next-sequence-start-number>">Next &gt;</a></strong>
+ <strong><a href="&dtml-URL;&dtml-sequence-query;query_start=&dtml-next-sequence-start-number;">Next &gt;</a></strong>
  <dtml-else>&nbsp;</dtml-in></div>
 </td>
 </tr>




More information about the Zope-Checkins mailing list