Quote variables in manage_tabs and manage_container to avoid XSS.

From Products.PloneHotfix20160830.
zopefoundation · Sep 7, 2016 · 39d6f9f · 39d6f9f
1 parent e0a09da
commit 39d6f9f
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 7 deletions.
diff --git a/doc/CHANGES.rst b/doc/CHANGES.rst
@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/
 2.13.25 (unreleased)
 --------------------
 
+- Quote variables in manage_tabs and manage_container to avoid XSS.
+  From Products.PloneHotfix20160830.  [maurits]
+
 - Add a dependency on the empty `Products.TemporaryFolder` project.
 
 - Add a dependency on the empty `Products.Sessions` project.

diff --git a/src/App/dtml/manage_tabs.dtml b/src/App/dtml/manage_tabs.dtml
@@ -156,7 +156,7 @@
 
 <dtml-if manage_tabs_message>
 <div class="system-msg">
-<dtml-var manage_tabs_message newline_to_br>
+<dtml-var manage_tabs_message newline_to_br html_quote>
 (<dtml-var ZopeTime fmt="%Y-%m-%d %H:%M">)
 </div>
 </dtml-if>

diff --git a/src/Products/Transience/dtml/manageTransientObjectContainer.dtml b/src/Products/Transience/dtml/manageTransientObjectContainer.dtml
@@ -38,7 +38,7 @@ Transient data will persist, but only for a user-specified period of time
     </div>
   </td>
   <td align="left" valign="top">
-    <input type="text" name="title" size=30 value="&dtml-title;">
+    <input type="text" name="title" size=30 value='<dtml-var name="title" html_quote>'>
   </td>
 </tr>
 <tr>
@@ -52,7 +52,7 @@ Transient data will persist, but only for a user-specified period of time
   </td>
   <td align="left" valign="top">
     <input type="text" name="timeout_mins:int" size=10
-     value=&dtml-getTimeoutMinutes;>
+           value='<dtml-var name="getTimeoutMinutes" html_quote>'>
   </td>
 </tr>
 
@@ -72,7 +72,7 @@ Transient data will persist, but only for a user-specified period of time
   </td>
   <td align="left" valign="top">
     <input type="text" name="period_secs:int" size=10
-     value=&dtml-getPeriodSeconds;>
+      value='<dtml-var name="getPeriodSeconds" html_quote>'>
   </td>
 </tr>
 
@@ -87,7 +87,7 @@ Transient data will persist, but only for a user-specified period of time
   </td>
   <td align="left" valign="top">
     <input type="text" name="limit:int" size=10
-     value=&dtml-getSubobjectLimit;>
+      value='<dtml-var name="getSubobjectLimit" html_quote>'>
   </td>
 </tr>
 
@@ -102,7 +102,7 @@ Transient data will persist, but only for a user-specified period of time
   </td>
   <td align="left" valign="top">
      <input type="text" name="addNotification"
-     	value="&dtml-getAddNotificationTarget;" size=40>
+       value='<dtml-var name="getAddNotificationTarget" html_quote>' size=40>
   </td>
 </tr>
 
@@ -117,7 +117,7 @@ Transient data will persist, but only for a user-specified period of time
   </td>
   <td align="left" valign="top">
      <input type="text" name="delNotification"
-     	value="&dtml-getDelNotificationTarget;" size=40>
+      value='<dtml-var name="getDelNotificationTarget" html_quote>' size=40>
   </td>
 </tr>