Merged efge-death-to-dtml-var-branch into HEAD:

Removed most <dtml-var> to replace them with &dtml-foo;. This corrects a number of potential XSS holes, and simplifies auditability of the remaining legitimate <dtml-var>.
zopefoundation · Dec 22, 2002 · 3af08f2 · 3af08f2
1 parent 8431db6
commit 3af08f2
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/dtml/addLexicon.dtml b/dtml/addLexicon.dtml
@@ -53,7 +53,7 @@
             </select>
           <dtml-else>
             <input type="checkbox" name="elements.name:records" 
-                   value="<dtml-var expr="elements[0]">" checked />
+                   value="<dtml-var expr="elements[0]" html_quote>" checked />
           </dtml-if>
         </td>
       </tr>

diff --git a/dtml/addZCTextIndex.dtml b/dtml/addZCTextIndex.dtml
@@ -65,7 +65,7 @@ from the most relevant to the least relevant.
         <select name="extra.lexicon_id:record">
       </dtml-if>
       <option value="&dtml-id;">
-        &dtml-id; <dtml-var name="title" fmt="(%s)" null>
+        &dtml-id; <dtml-var name="title" fmt="(%s)" null html_quote>
       </option>
       <dtml-if sequence-end>
         </select>

diff --git a/dtml/manageZCTextIndex.dtml b/dtml/manageZCTextIndex.dtml
@@ -3,17 +3,17 @@
 
 <p class="form-help">
   Name of attribute indexed: 
-  <em><dtml-var getFieldName></em>
+  <em>&dtml-getFieldName;</em>
 </p>
 <p class="form-help">
   Index type: 
-  <em><dtml-var getIndexType></em>
+  <em>&dtml-getIndexType;</em>
 </p>
 <p class="form-help">
   ZCTextIndex Lexicon used: 
   <dtml-if getLexiconURL>
-    <a href="<dtml-var getLexiconURL>/manage_main"
-    ><dtml-var getLexiconURL></a>
+    <a href="&dtml.url_quote-getLexiconURL;/manage_main"
+    >&dtml-getLexiconURL;</a>
   <dtml-else>
     <em>(Lexicon Not Found)</em>
   </dtml-if>