Quote variable in manage_tabs to avoid XSS.

From Products.PloneHotfix20160830.
zopefoundation · Sep 7, 2016 · 48eef20 · 48eef20
1 parent 4dfc8e7
commit 48eef20
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -5,7 +5,8 @@ Changelog
 2.0.1 (unreleased)
 ------------------
 
-- Nothing changed yet.
+- Quote variable in manage_tabs to avoid XSS.
+  From Products.PloneHotfix20160830.  [maurits]
 
 
 2.0.0 (2015-09-09)

diff --git a/Products/ExternalEditor/manage_tabs.dtml b/Products/ExternalEditor/manage_tabs.dtml
@@ -101,7 +101,7 @@
 
 <dtml-if manage_tabs_message>
 <div class="system-msg">
-<dtml-var manage_tabs_message newline_to_br>
+<dtml-var manage_tabs_message newline_to_br html_quote>
 (<dtml-var ZopeTime fmt="%Y-%m-%d %H:%M">)
 </div>
 </dtml-if>