Commit 554c81bc authored by Tres Seaver's avatar Tres Seaver Committed by GitHub

Merge pull request #86 from zopefoundation/apply-plonehotfix-20170717-213

Apply plonehotfix 20170717 [2.13]
parents c668b3ef e130ee11
......@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/
2.13.26 (unreleased)
--------------------
- Fixed reflective XSS in findResult.
This applies PloneHotfix20170117. [maurits]
2.13.25 (2017-01-13)
......
......@@ -9,16 +9,16 @@
<dtml-if btn_submit>
<dtml-with "_.namespace(
results=PrincipiaFind(this(),
obj_ids=obj_ids,
obj_metatypes=obj_metatypes,
obj_searchterm=obj_searchterm,
obj_expr=obj_expr,
obj_mtime=obj_mtime,
obj_mspec=obj_mspec,
obj_permission=obj_permission,
obj_roles=obj_roles,
search_sub=search_sub,
results=PrincipiaFind(this(),
obj_ids=obj_ids,
obj_metatypes=obj_metatypes,
obj_searchterm=obj_searchterm,
obj_expr=obj_expr,
obj_mtime=obj_mtime,
obj_mspec=obj_mspec,
obj_permission=obj_permission,
obj_roles=obj_roles,
search_sub=search_sub,
REQUEST=REQUEST))">
<dtml-unless batch_size>
......@@ -29,14 +29,14 @@
<p class="std-text">
Displaying items
<dtml-in name="results" size=batch_size start=query_start>
<dtml-if sequence-start>&dtml-sequence-number;</dtml-if><dtml-if
sequence-end>-&dtml-sequence-number; of <dtml-var
"_.len(results)"></dtml-if></dtml-in> items matching your query. You can
<dtml-if sequence-start>&dtml-sequence-number;</dtml-if><dtml-if
sequence-end>-&dtml-sequence-number; of <dtml-var
"_.len(results)"></dtml-if></dtml-in> items matching your query. You can
<a href="#form">revise</a> your search terms below.
</p>
<dtml-else>
<p class="std-text">
No items were found matching your query. You can <a href="#form">revise</a>
No items were found matching your query. You can <a href="#form">revise</a>
your search terms below.
</p>
</dtml-if>
......@@ -128,7 +128,7 @@ your search terms below.
</div>
</TD>
<TD ALIGN="LEFT" VALIGN="TOP">
<INPUT TYPE="TEXT" NAME="obj_ids:tokens" SIZE="30" VALUE="<dtml-var "' '.join(obj_ids or [])">">
<INPUT TYPE="TEXT" NAME="obj_ids:tokens" SIZE="30" VALUE="<dtml-var "' '.join(obj_ids or [])" html_quote>">
</TD>
</TR>
......@@ -168,7 +168,7 @@ your search terms below.
<OPTION VALUE="&lt;" <dtml-if "REQUEST.obj_mspec == '<'">SELECTED</dtml-if>> before
<OPTION VALUE="&gt;" <dtml-if "REQUEST.obj_mspec == '>'">SELECTED</dtml-if>> after
</SELECT>
</SELECT>
</div>
<INPUT TYPE="TEXT" NAME="obj_mtime" SIZE="22" VALUE="&dtml-obj_mtime;">
</TD>
......@@ -192,7 +192,7 @@ your search terms below.
<dtml-else>
<OPTION VALUE="&dtml-sequence-item;">&dtml-sequence-item;
</dtml-if>
</dtml-in>
</SELECT>
</div>
......@@ -230,7 +230,7 @@ your search terms below.
<OPTION VALUE="id">Id
<OPTION VALUE="meta_type">Type
<OPTION VALUE="bobobase_modification_time">Last Modified
</SELECT>
</SELECT>
<span class="form-label">
<INPUT TYPE="checkbox" NAME="rkey" VALUE="reverse"> Reverse?
</span>
......@@ -244,10 +244,10 @@ your search terms below.
</TD>
<TD ALIGN="LEFT" VALIGN="TOP">
<div class="form-text">
<INPUT TYPE="RADIO" NAME="search_sub:int" VALUE="0" <dtml-if "REQUEST.search_sub == 0">CHECKED</dtml-if>>
<INPUT TYPE="RADIO" NAME="search_sub:int" VALUE="0" <dtml-if "REQUEST.search_sub == 0">CHECKED</dtml-if>>
Search only in this folder
<BR>
<INPUT TYPE="RADIO" NAME="search_sub:int" VALUE="1" <dtml-if "REQUEST.search_sub == 1">CHECKED</dtml-if>>
<INPUT TYPE="RADIO" NAME="search_sub:int" VALUE="1" <dtml-if "REQUEST.search_sub == 1">CHECKED</dtml-if>>
Search all subfolders
</div>
</TD>
......@@ -258,7 +258,7 @@ your search terms below.
</TD>
<TD ALIGN="LEFT" VALIGN="TOP">
<div class="form-element">
<INPUT TYPE="SUBMIT" NAME="btn_submit" VALUE="Find">
<INPUT TYPE="SUBMIT" NAME="btn_submit" VALUE="Find">
<span class="form-text">
<dtml-if "searchtype == 'advanced'">
<a href="manage_findForm">Simple...<a>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment