[Zope-Checkins] CVS: Zope/lib/python/Products/ZopeTutorial - TutorialTopic.py:1.13.6.2

Tres Seaver tseaver at zope.com
Thu Jan 8 16:13:42 EST 2004


Update of /cvs-repository/Zope/lib/python/Products/ZopeTutorial
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/Products/ZopeTutorial

Modified Files:
      Tag: Zope-2_6-branch
	TutorialTopic.py 
Log Message:


   - Browsers that do not escape html in query strings such as 
     Internet Explorer 5.5 could potentially send a script tag in a 
     query string to the ZSearch interface for cross-site scripting.
     See Collector #813 for other XSS-related rationale.


=== Zope/lib/python/Products/ZopeTutorial/TutorialTopic.py 1.13.6.1 => 1.13.6.2 ===
--- Zope/lib/python/Products/ZopeTutorial/TutorialTopic.py:1.13.6.1	Wed Oct 16 17:34:37 2002
+++ Zope/lib/python/Products/ZopeTutorial/TutorialTopic.py	Thu Jan  8 16:13:11 2004
@@ -13,6 +13,7 @@
 import OFS.Folder
 from HelpSys.HelpTopic import TextTopic
 from Globals import HTML, DTMLFile, MessageDialog
+from cgi import escape
 import DateTime
 import DocumentTemplate
 import StructuredText
@@ -98,7 +99,8 @@
 <a href="%s/manage_main" target="manage_main"
 onClick="javascript:window.open('%s/manage_main', 'manage_main').focus()"
 >Show lesson examples</a> in another window.
-</p>""" % (url, url, url)
+</p>""" % (url.replace('"', '\\"'), escape(url, 1),
+           escape(url, 1).replace("'", "\\'"))
 
 
     tutorialNavigation=DTMLFile('dtml/tutorialNav', globals())




More information about the Zope-Checkins mailing list