Merged efge-death-to-dtml-var-branch into HEAD:

Removed most <dtml-var> to replace them with &dtml-foo;. This corrects a number of potential XSS holes, and simplifies auditability of the remaining legitimate <dtml-var>.
zopefoundation · Dec 22, 2002 · fc40e5f · fc40e5f
1 parent 3818d96
commit fc40e5f
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 5 deletions.
diff --git a/dtml/add.dtml b/dtml/add.dtml
@@ -53,7 +53,7 @@ statement which the SQL Method will execute.
     <select name="connection_id">
               <dtml-in SQLConnectionIDs>
                 <option value="&dtml-sequence-item;">
-                <dtml-var sequence-key></option>
+                &dtml-sequence-key;</option>
               </dtml-in>
     </select>
     </div>

diff --git a/dtml/edit.dtml b/dtml/edit.dtml
@@ -23,7 +23,7 @@
   </td>
   <td align="left" valign="top">
   <input type="text" name="title" size="40" value="<dtml-if 
-   title><dtml-var title></dtml-if>">
+   title>&dtml-title;</dtml-if>">
   </td>
 </tr>
   <tr>
@@ -39,7 +39,7 @@
                 <option value="&dtml-sequence-item;"<dtml-if 
                  expr="connection_id==_vars['sequence-item']">
                  selected</dtml-if>>
-                <dtml-var sequence-key></option>
+                &dtml-sequence-key;</option>
               </dtml-in>
     </select>
     </div>
@@ -60,8 +60,7 @@
   <div style="width: 100%;">
   <textarea name="template:text" wrap="off" style="width: 100%;"
    cols=<dtml-var sql_pref__cols html_quote missing="60">
-   rows=<dtml-var sql_pref__rows html_quote missing="20">><dtml-var
-   src fmt="html-quote"></textarea>
+   rows=<dtml-var sql_pref__rows html_quote missing="20">>&dtml-src;</textarea>
   </div>
     </td>
   </tr>