Merged efge-death-to-dtml-var-branch into HEAD:

Removed most <dtml-var> to replace them with &dtml-foo;.
This corrects a number of potential XSS holes, and simplifies
auditability of the remaining legitimate <dtml-var>.

dtml/addIndexForm.dtml

@@ -11,7 +11,7 @@ help for adding indexes....
 </p>
 
 <form action="manage_addIndex" method="post">
-<input type=hidden name="type" value="<dtml-var index_type>">
+<input type=hidden name="type" value="&dtml-index_type;">
 
 <table cellspacing="0" cellpadding="2" border="0">
   <tr>

dtml/catalogAddRowForm.dtml

@@ -1,7 +1,7 @@
 <dtml-var manage_page_header>
 <dtml-var manage_tabs>
 
-<form action="<dtml-var URL1>">
+<form action="&dtml-URL1;">
 
 
 

dtml/catalogAdvanced.dtml

@@ -18,7 +18,7 @@
   </p>
   </td>
   <td align="right" valign="top">
-<form action="<dtml-var URL1>">
+<form action="&dtml-URL1;">
 <input class="form-element" type="submit" 
  name="manage_catalogReindex:method" value=" Update Catalog ">
 </form>
@@ -30,7 +30,7 @@
   </p>
   </td>
   <td align="right" valign="top">
-<form action="<dtml-var URL1>">
+<form action="&dtml-URL1;">
 <input class="form-element" type="submit" 
  name="manage_catalogClear:method" value=" Clear Catalog ">
 </form>
@@ -80,7 +80,7 @@
       </dtml-if></p>
   </td>
   <td align="right" valign="top">
-    <form action="<dtml-var URL1>" method="POST">
+    <form action="&dtml-URL1;" method="POST">
     <div class="form-element">
       <dtml-if threshold>
 	<input class="form-element" type="submit" 
@@ -109,8 +109,7 @@
   <td align="right" valign="top">
     <form action="manage_edit" method=POST>
      <div class="form-element">
-      <input name="threshold:int" value="<dtml-var
-      threshold html_quote>" />
+      <input name="threshold:int" value="&dtml-threshold;" />
       <input type="submit" name="submit" value="Set Threshold">
       </div>
     </form>

dtml/catalogFind.dtml

@@ -19,7 +19,7 @@ are found will be automatically added to the catalog.
   <SELECT NAME="obj_metatypes:list" SIZE="4" MULTIPLE>
   <OPTION VALUE="all" SELECTED> All types
 <dtml-in all_meta_types mapping>
-  <OPTION VALUE="<dtml-var name html_quote>"> <dtml-var name>
+  <OPTION VALUE="&dtml-name;"> &dtml-name;
 </dtml-in>
   </SELECT>
   </div>
@@ -85,7 +85,7 @@ are found will be automatically added to the catalog.
   <div class="form-element">
   <SELECT NAME="obj_roles:list" SIZE="3" MULTIPLE>
 <dtml-in valid_roles>
-  <OPTION VALUE="<dtml-var sequence-item html_quote>"> <dtml-var sequence-item>
+  <OPTION VALUE="&dtml-sequence-item;"> &dtml-sequence-item;
 </dtml-in>
   </SELECT>
   </div>
@@ -101,7 +101,7 @@ are found will be automatically added to the catalog.
   <div class="form-element">
   <SELECT NAME="obj_permission">
 <dtml-in permission_settings mapping>
-  <OPTION VALUE="<dtml-var name html_quote>"> <dtml-var name>
+  <OPTION VALUE="&dtml-name;"> &dtml-name;
 </dtml-in>
   </SELECT>
   </div>

dtml/catalogIndexes.dtml

@@ -142,11 +142,11 @@ function toggleSelect() {
     <td>
     <div class="list-item">
       <dtml-if "_.string.find(_.str(_.getattr(this(),'__implements__','old')),'PluggableIndexInterface')>-1">
-        <dtml-var meta_type>
+        &dtml-meta_type;
       <dtml-else>
          <dtml-call "REQUEST.set('oldidx',1)">
          (pre-2.4 index)
-         <dtml-var meta_type>
+         &dtml-meta_type;
       </dtml-if>
     </div>
     </td>

dtml/catalogObjectInformation.dtml

@@ -10,7 +10,7 @@
 <tr class="location-bar">
   <td colspan="2" align="left">
   <div class="std-text">
-  <strong>Catalog record at <dtml-var expr="getpath(_.int(rid))"></strong>
+  <strong>Catalog record at <dtml-var expr="getpath(_.int(rid))" html_quote></strong>
   </div>
   </td>
 </tr>

dtml/catalogSchema.dtml

@@ -22,18 +22,17 @@ the text contents, which is configured in the <b>Indexes</b> View
 tab).  This way, the summary data may be shown in the search results.
 </p>
 
-<form action="<dtml-var URL1>">
+<form action="&dtml-URL1;">
 
 <table cellspacing="0" cellpadding="2" border="0">
 <dtml-in schema sort=sequence-item>
   <tr>
     <td align="left" valign="top">
-    <input type="checkbox" name="names:list" value="<dtml-var 
-     sequence-item html_quote>" />
+    <input type="checkbox" name="names:list" value="&dtml-sequence-item;" />
     </td>
     <td align="left" valign="top">
     <div class="form-text">
-    <dtml-var sequence-item>
+    &dtml-sequence-item;
     </div>
     </td>
   </tr>

dtml/catalogStatus.dtml

@@ -26,7 +26,7 @@
 	<font color="red"><b>Disabled</b></font>
       </dtml-if></h3>
 
-    <form action="<dtml-var URL1>" method="POST">
+    <form action="&dtml-URL1;" method="POST">
     <div class="form-element">
       <dtml-if threshold>
 	<input class="form-element" type="submit" 
@@ -49,8 +49,7 @@
       memory.  If this number is higher, the Catalog will index
       quickly but consume much more memory.</p>
 
-      Subtransaction threshold: <input name="threshold:int" value="<dtml-var
-      threshold html_quote>" />
+      Subtransaction threshold: <input name="threshold:int" value="&dtml-threshold;" />
       <br>
       <div class="form-element">
       <input type="submit" name="submit" value="Save Changes">
@@ -65,7 +64,7 @@
       <dtml-in index_objects sort=id>
       <li>
 	<dtml-var "_.len(_['sequence-item'])"> 
-	object are indexed in <b><dtml-var "_['sequence-item'].id"></b>
+	object are indexed in <b><dtml-var "_['sequence-item'].id" html_quote></b>
       </li>
       </dtml-in>
     </ul>

dtml/catalogView.dtml

@@ -28,20 +28,19 @@ function toggleSelect() {
 //-->
 </script>
 
-<form action="<dtml-var name="URL1">" name="objectItems">
+<form action="&dtml-URL1;" name="objectItems">
 
 <p class="form-text">
-<dtml-var id> contains <dtml-var 
- searchResults fmt=collection-length thousands_commas> record(s).
+&dtml-id; contains <dtml-var searchResults fmt=collection-length thousands_commas> record(s).
 </p>
   <div class="form-text">
   <dtml-in searchResults previous size=20 start=query_start >
-    <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+    <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
       [Previous <dtml-var previous-sequence-size> entries]
     </a>
   </dtml-in>
   <dtml-in searchResults next size=20 start=query_start >
-    <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+    <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
       [Next <dtml-var next-sequence-size> entries]
     </a>
   </dtml-in>
@@ -72,7 +71,7 @@ function toggleSelect() {
     <td align="left" valign="top">
     <div class="form-text">
       <dtml-if expr="has_key('meta_type') and meta_type">
-        <dtml-var name="meta_type" size="15">
+        <dtml-var name="meta_type" size="15" html_quote>
       <dtml-else>
         <i>Unknown</i>
       </dtml-if>

dtml/editCatalogerForm.dtml

@@ -12,7 +12,7 @@ unindex itself to.
 <span class="form-label">
 Use Catalog: 
 </span>
-<input name="default" value="<dtml-var default_catalog html_quote>">
+<input name="default" value="&dtml-default_catalog;">
 <br>
 <div class="form-element">
 <input class="form-element" type="submit" value="Save Changes">

dtml/manage_vocab.dtml

@@ -4,21 +4,20 @@
 <dtml-if words>
 
 <p class="form-text">
-<dtml-var id> contains <em><dtml-var 
- words fmt=collection-length thousands_commas></em>
+&dtml-id; contains <em><dtml-var words fmt=collection-length thousands_commas></em>
  word(s).
 </p>
 
 <dtml-in words previous size=20 start=query_start >
   <span class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
     [Previous <dtml-var previous-sequence-size> entries]
   </a>
   </span>
 </dtml-in>
 <dtml-in words next size=20 start=query_start >
   <span class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
     [Next <dtml-var next-sequence-size> entries]
   </a>
   </span>
@@ -48,15 +47,15 @@
 
 <dtml-in words previous size=20 start=query_start >
   <div class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var previous-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var previous-sequence-start-number>">
     [Previous <dtml-var previous-sequence-size> entries]
   </a>
   </div>
 </dtml-in>
 
 <dtml-in words next size=20 start=query_start >
   <div class="list-nav">
-  <a href="<dtml-var URL>?query_start=<dtml-var next-sequence-start-number>">
+  <a href="&dtml-URL;?query_start=<dtml-var next-sequence-start-number>">
     [Next <dtml-var next-sequence-size> entries]
   </a>
   </div>

dtml/vocab_manage_main.dtml

@@ -1,7 +1,7 @@
 <dtml-var manage_page_header>
 <dtml-var manage_tabs>
 
-<h2>Edit <dtml-var id></h2>
+<h2>Edit &dtml-id;</h2>
 
 <!--